CBC padding oracle demo application. Requires Python3, requests, pycrypto
and flask.
The easiest way to run this application, is to setup a virtual environment and then install the required packages. I.e., something like
$ virtualenv -p python3 venv $ source venv/bin/activate $ pip install requests $ pip install flask $ pip install pycrypto
The server is then run as a standard flask application:
$ FLASK_APP=server.py flask run
By default the server runs at 127.0.0.1:5000.
On startup, the server picks a random key, and creates a random message of the form:
flag{<32 random hexencoded bytes}
Whenever the server receives a request at
127.0.0.1:5000/decrypt/<c>
where <c> is a hex encoded ciphertext, it decrypts c and responds with
ok if the padding was correct and bad padding otherwise.