Practical Crypto Attacks Against Web Applications (Thai Duong & Juliano Rizzo)
Abstract (source: Blackhat.com)
In 2009, we released a paper on MD5 extension attack (), and described how attackers can use the attack to exploit popular web sites such as Flickr, Vimeo, Scribd, etc. The attack has been well-received by the community, and made the Top Ten Web Hacking Techniques of 2009 (). In the conclusion of that paper, we stated that we have been carrying out a research in which we test-run a number of identified practical crypto attacks on random widely-used software systems. To our surprise, most, if not all, can be attacked by one or more of well-known crypto bugs. In this talk, we present the latest result of that research, where we choose another powerful crypto attack, and turn it into a new set of practical web hacking techniques.
We show that widely used web development frameworks and web sites are using encryption wrongly that allow attackers to read and modify data that should be protected. It has been known for years in cryptography community that encryption is not authentication. If encrypted messages are not authenticated, data integrity cannot be guaranteed which makes systems vulnerable to practical and dangerous chosen-ciphertext attacks. Finally, we list several popular web development frameworks and web sites that are vulnerable to Padding Oracle attacks, including, but not limited to, eBay Latin America, Apache MyFaces, SUN Mojarra, Ruby On Rails, etc. These are all 0-day vulnerabilities. We show that even OWASP folks can’t get it right, how can an average Joe survive this new class of vulnerabilities? We strongly believe that this is just the tip of the iceberg, and the techniques we describe in this research would uncover many more vulnerabilities for years to come.
Talk Abstract –> Practical Crypto Attacks Against Web Applications
Speaker Bio –> Thai Duong, Juliano Rizzo
Practical Padding Oracle Attacks
First introduced by Vaudenay at Eurocrypt 2002
- Adversary can intercept padded messages encrypted in CBC mode.
- Adversary has access to a padding oracle.
Demo (fail) –> Exploiting RubyOnRails ActiveSupport::MessageEncryptor
Finding potential padding oracles
- Crawl the target to find BASE64 strings that look like ciphertext
- Look for known source code keywords like javax.crypto.BadPaddingException
- Look for routines that perform encryption and decryption that have some code to handle error while decrypting
Confirming the existence of padding oracles
- Confirm the block size b
- All padding oracle attacks need a correct b
- Most common attack sizes are 8 and 16 bytes – Trial and error
POET – Padding Oracle Exploitation Tool –> Not yet publicly released
Decrypting JSF viewstates
JavaServer Faces (JSF)
Although the JSF specification advises that view state should be encrypted and tamper evident, not many implementations follow that advice.
This means the Padding Oracle attack can be used to decrypt the view states of most JSF frameworks
By default, all JSF frameworks would display a very detailed error message if it fails to decrypt a view state
If error messages are turned off, it is still possible to perform the attack
JAVA ignores the extra (padding blocks) while decrypting and deserializing the viewstate. This allows for sending random padding at the end of the string to see the response. If the viewstate returns the same information the padding is valid. If the server returns a HTTP 500, then it’s invalid.
CBC-R turns a decryption oracle into an encryption oracle
Only a single bit of information is necessary to exploit a padding oacle
Cross-domain leakage bugs in web-browsers can help
- Padding oracle attacks allow one to decrypt ciphertext without knowing the key.
- We can use padding oracle attacks to crack CAPTCHA, and decrypt JSF view state, etc.
- CBC-R turns a decryption oracle into an encryption oracle, and allow us to create malicious JSF view states.
- Distributed cross-site padding oracle attacks allow one to distributively build a code book to map all ciphertexts to corresponding plaintexts.
Note: Blogging Crypto talks is almost impossible….. I’d suggest grabbing the slides, whitepaper, video and a lot of coffee!
For more information please see the Blackhat Europe website
Pingback: Blackhat Europe: Gone, but not forgotten « ©атсн²² (in)sесuяitу
Pingback: OWASP Montreal Meeting Tonight « Montreal Stuff
POET 1.0 released http://netifera.com/research/
It seems to me that a JSF site would only be vulnerable to this attack if they are using client-side state saving and not the default setting, which is server-side state saving. Please correct me if I am wrong.