Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Blackhat Europe: Practical Crypto Attacks Against Web Applications

Practical Crypto Attacks Against Web Applications (Thai Duong & Juliano Rizzo)

Abstract (source: Blackhat.com)

In 2009, we released a paper on MD5 extension attack ([1]), and described how attackers can use the attack to exploit popular web sites such as Flickr, Vimeo, Scribd, etc. The attack has been well-received by the community, and made the Top Ten Web Hacking Techniques of 2009 ([2]). In the conclusion of that paper, we stated that we have been carrying out a research in which we test-run a number of identified practical crypto attacks on random widely-used software systems. To our surprise, most, if not all, can be attacked by one or more of well-known crypto bugs. In this talk, we present the latest result of that research, where we choose another powerful crypto attack, and turn it into a new set of practical web hacking techniques.

We show that widely used web development frameworks and web sites are using encryption wrongly that allow attackers to read and modify data that should be protected. It has been known for years in cryptography community that encryption is not authentication. If encrypted messages are not authenticated, data integrity cannot be guaranteed which makes systems vulnerable to practical and dangerous chosen-ciphertext attacks. Finally, we list several popular web development frameworks and web sites that are vulnerable to Padding Oracle attacks, including, but not limited to, eBay Latin America, Apache MyFaces, SUN Mojarra, Ruby On Rails, etc. These are all 0-day vulnerabilities. We show that even OWASP folks can’t get it right, how can an average Joe survive this new class of vulnerabilities? We strongly believe that this is just the tip of the iceberg, and the techniques we describe in this research would uncover many more vulnerabilities for years to come.

Talk Abstract –> Practical Crypto Attacks Against Web Applications

Speaker Bio –> Thai Duong, Juliano Rizzo

Practical Padding Oracle Attacks

First introduced by Vaudenay at Eurocrypt 2002

Two assumptions

  • Adversary can intercept padded messages encrypted in CBC mode.
  • Adversary has access to a padding oracle.

Demo (fail) –> Exploiting RubyOnRails ActiveSupport::MessageEncryptor

Finding potential padding oracles

  • Crawl the target to find BASE64 strings that look like ciphertext
  • Look for known source code keywords like javax.crypto.BadPaddingException
  • Look for routines that perform encryption and decryption that have some code to handle error while decrypting

Confirming the existence of padding oracles

  • Confirm the block size b
    • All padding oracle attacks need a correct b
    • Most common attack sizes are 8 and 16 bytes – Trial and error

POET – Padding Oracle Exploitation Tool –> Not yet publicly released

Cracking CAPTCHA

Some CAPTCHA systems are open to the padding oracle attack demonstrated earlier. A method to perform this has been developed using just JavaScript (in the browser).

Decrypting JSF viewstates

JavaServer Faces (JSF)

Although the JSF specification advises that view state should be encrypted and tamper evident, not many implementations follow that advice.

This means the Padding Oracle attack can be used to decrypt the view states of most JSF frameworks

By default, all JSF frameworks would display a very detailed error message if it fails to decrypt a view state

If error messages are turned off, it is still possible to perform the attack

JAVA ignores the extra (padding blocks) while decrypting and deserializing the viewstate. This allows for sending random padding at the end of the string to see the response. If the viewstate returns the same information the padding is valid. If the server returns a HTTP 500, then it’s invalid.


CBC-R turns a decryption oracle into an encryption oracle

Only a single bit of information is necessary to exploit a padding oacle

Cross-domain leakage bugs in web-browsers can help


  • Padding oracle attacks allow one to decrypt ciphertext without knowing the key.
  • We can use padding oracle attacks to crack CAPTCHA, and decrypt JSF view state, etc.
  • CBC-R turns a decryption oracle into an encryption oracle, and allow us to create malicious JSF view states.
  • Distributed cross-site padding oracle attacks allow one to distributively build a code book to map all ciphertexts to corresponding plaintexts.

Note: Blogging Crypto talks is almost impossible….. I’d suggest grabbing the slides, whitepaper, video and a lot of coffee!

Additional Links

For more information please see the Blackhat Europe website

4 responses to “Blackhat Europe: Practical Crypto Attacks Against Web Applications

  1. Pingback: Blackhat Europe: Gone, but not forgotten « ©атсн²² (in)sесuяitу

  2. Pingback: OWASP Montreal Meeting Tonight « Montreal Stuff

  3. Ray June 9, 2010 at 17:15

    It seems to me that a JSF site would only be vulnerable to this attack if they are using client-side state saving and not the default setting, which is server-side state saving. Please correct me if I am wrong.

%d bloggers like this: