Skip to content
Source code for a Padding Oracle attack demonstration - vulnerable API and cracking code. C#, ASP .NET
C#
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
POUnitTest
PadOracle
WebAPI
PadOracle.exe
PadOracle.sln
README.md

README.md

PaddingOracle

Source code for a Padding Oracle attack demonstration - vulnerable API and cracking code. C#, ASP .NET

This was written after a hacking challenge (CTF / "Hackathon") at work.

Build the WebAPI project, then run it without debugging, so that you can then debug the PadOracle project against it.

Change the string as you want, to discover how well it does/doesn't work. Try to throw the algorithm off.

See if there are any optimisations you can think of. It's still very slow, perhaps.

Command line arguments are now added in the PadOracle program:

PadOracle <url> -c <cipher-reg> [-i <iv-reg>] [-iv0] [-b <blocksize:16>] [-t <encoding:b64|b64URL|hex|HEX>] [-v] [-p <parallelism:-1|1>] [-h]
  <cipher-reg>: a regex matching the entire ciphertext in the <url> parameter
  <iv-reg>: a regex matching the initialisation vector in the <url> parameter, if separate
  <blocksize>: blocksize in bytes. Defaults to 16.
  <encoding>: The encoding of the ciphertext. b64 = base64, URL encoded; b64URL = base64 URL safe (/, +, =, replaced with !, -, ~); hex / HEX - hexadecimal encoded, lower / upper case.
  <parallelism>: How parallel do you want it? 1 is for 1 thread, so you can watch it work. -1 is for max parallel, more speed. Defaults to -1.

You can’t perform that action at this time.