Padding Oracle Attack with always 200 response

sla.ckers.org is
ha.ckers sla.cking

For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL!

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

Padding Oracle Attack with always 200 response

Posted by: p0deje

Date: April 21, 2011 03:07AM

Hello,

I currently pentest ASP.NET application and trying to exploit Padding Oracle Attack. Those AFAIK are based on response code analysis, but both ScriptResource and WebResource axds of the system under test always response with 200 OK, even if cipher has been invalid. In this case, however, the content of the response is an empty string.

So, the question is if it's possible to use any of the axd as the oracle in this case? Maybe basing on response content difference.

---------
http://p0deje.blogspot.com

Options: Reply•Quote

Re: Padding Oracle Attack with always 200 response

Posted by: thornmaker

Date: April 28, 2011 06:17AM

The web server response code has nothing to do with the attack; a web server doesn't even need to be involved. The distinguishing factor (as I recall) is being able to determine when you have an error due to a faulty decryption and an error due to incorrect padding. If you can distinguish between those two cases (via any means), you're in luck.

Options: Reply•Quote

Go to: Forum List•Message List•Search•Log In

Sorry, only registered users may post in this forum.

Click here to login