Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Padding Oracle Attack with always 200 response
Posted by: p0deje
Date: April 21, 2011 03:07AM

Hello,

I currently pentest ASP.NET application and trying to exploit Padding Oracle Attack. Those AFAIK are based on response code analysis, but both ScriptResource and WebResource axds of the system under test always response with 200 OK, even if cipher has been invalid. In this case, however, the content of the response is an empty string.

So, the question is if it's possible to use any of the axd as the oracle in this case? Maybe basing on response content difference.

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Padding Oracle Attack with always 200 response
Posted by: thornmaker
Date: April 28, 2011 06:17AM

The web server response code has nothing to do with the attack; a web server doesn't even need to be involved. The distinguishing factor (as I recall) is being able to determine when you have an error due to a faulty decryption and an error due to incorrect padding. If you can distinguish between those two cases (via any means), you're in luck.

Options: ReplyQuote
Re: Padding Oracle Attack with always 200 response
Posted by: qaism123
Date: October 03, 2014 11:27PM

And btw, I'd like to thank the cell phone manufacturers on id's behalf for thinking about the crazy ex's in our lives and allowing us to have more than 99 unread texts. I never thought about that use case, but apparently the cell phone guys have met their fair share of crazies in their life too.

aliiiiiiiiiii

Options: ReplyQuote
Re: Padding Oracle Attack with always 200 response
Posted by: sla_admin
Date: October 04, 2014 12:46PM

It was Windows Mobile 5.0 on that phone (motorola Q), and amazingly good phone for the time...

Options: ReplyQuote


Sorry, only registered users may post in this forum.