⚠️ Pracivo Security Lab — Cryptography vulnerabilities: ECB penguin attack, padding oracle, weak ciphers, SSL/TLS misconfig, JWT cracking.
Padding Oracle Attack
CBC DECRYPTION
# CBC mode with PKCS#7 padding
# If the server reveals whether padding is valid (via error messages or timing),
# an attacker can decrypt ANY ciphertext without the key
# How it works:
# CBC decryption: P[i] = D(C[i]) XOR C[i-1]
# If we can flip bits in C[i-1] and observe padding errors,
# we can deduce D(C[i]) one byte at a time
# The oracle (padding error leaked by server):
# - "Invalid padding" error message (different from "wrong password")
# - 500 error vs 403 error
# - Different response time
# - Different response body length
# Attack steps:
# 1. Intercept valid ciphertext C
# 2. Modify last byte of C[n-1] until server returns "valid padding"
# 3. When valid: last plaintext byte = 0x01 XOR your_byte XOR original_byte
# 4. Repeat for all bytes
# Real tool — padbuster:
padbuster http://target.com/login ENCRYPTED_COOKIE 16 -encoding 0
# -16 = AES block size, -encoding 0 = raw bytes
# PadBuster can:
# - Decrypt any CBC encrypted value
# - Re-encrypt arbitrary data with the server's key
# - Forge "admin=true" cookies
# Python implementation:
# pip install pycryptodome
# See: github.com/AonCyberLabs/PadBuster
# Prevention:
# - Use AES-GCM (authenticated encryption) — MAC prevents bit flipping
# - Never expose padding errors — use generic "invalid request" message
# - Use constant-time comparison for MAC verification