Demonstrated this spring at Black Hat Europe and officially released last week, the Padding Oracle Exploit Tool (Poet) takes advantage of and automates a side-channel attack called a Padding Oracle Attack, which was introduced to the cryptographic community in 2002. This attack leverages commonly used cryptographic padding oracles that receive cipher text, decrypts it, and replies to the sender whether the padding is valid or invalid. The attack is carried out if attackers can intercept padded messages encrypted in CBC mode, effectively gaining access to encrypted information without a key.
"What happens in Web apps is that it is very common for the programmer to send something encrypted to the client/Web browser [and] not to share it with the client, just to store it for some time like cookies, [which] is a perfect scenario to implement what is called 'chosen cipher text attacks,' where the cipher text is modified and [sent] again to the Web application," says Juliano Rizzo, who together with Thai Duong developed Poet. "Poet should help to show that is not easy to implement cryptography correctly, [and] attacks that could look theoretical are very practical and dangerous."
Rizzo and Duong have shown that Poet can crack CAPTCHAs and decrypt view states in JavaServer Faces Web development frameworks.
"The tool can be used by developers and penetration testers to audit Web application 'black-box' testing in the same way SQL injection and XSS are detected today," Rizzo says.
Adam Muntner, a security consultant and researcher for Gotham Digital Science, says the attacks made possible by Poet are dj vu all over again for the Web application security community.
"Meet the new 'sploit, same as the old 'sploit, to paraphrase The Who," Muntner says. "It's fascinating to see the same attack patterns rear their head, time and time again. The problem isn't so much any particular exploit, not to minimize the impact of this one. It's in software design, development, and testing practices."
From what he has seen so far of Poet, the attack tool takes advantage of two protocol implementation flaws within many Web applications.
"One is a cryptographic implementation flaw. The best crypto algorithm in the world is less useful than a TSA-approved lock if it's implemented poorly. Two, in Web application security, the client, typically an HTML browser, is not to be trusted," Muntner says. "If only one of the two flaws that this attack is dependent on had been caught, the attack would not be possible. In the security world, we refer to this principle as defense-in-depth."
Rizzo believes that Web application developers can best address the vulnerabilities to Padding Oracle Attacks by including more high-level encryption solutions, such as Keyczar, which has added integrity protection and authentication compared to basic cryptography solutions used by developers today.
One problem is that they implement their own cryptography, using low-level cryptography algorithms, and that is hard to implement correctly. They should use more high-level solutions," Rizzo says.
Rizzo and Duong hope Poet will be added to developer and penetration-testing toolkits to check up on application security.
"The tool can be used by developers and penetration testers to audit Web applications -- 'black-box' testing in the same way SQL injection and XSS are detected today," he says.
While Poet primarily highlights threats at the Web application layer, Rizzo also warns database security experts who use similar encryption keys across front-end systems and back-end databases.
"The Poet attack is interactive and databases are not exposed, or shouldn't be, as Web applications are," Rizzo says. "But what can happen is that if, for example, the same key is used to store secret information in a database and also used in some front-end [system] in the Web application connected to the database, the attacker get access to the encrypted database data without the key. It would be possible to use a vulnerable Web application as an oracle to decrypt the data from the database."
In fact, Rizzo says that he and Duong are currently directing research on such exploits now that Poet is released.
"Now we are studying a framework where that could happen: The same keys are reused to store data in the database and to encrypt data sent to the Web client," he says. "You could get a decryption oracle in a Web app, and even if the Web app is not sending interesting data to you, if the same secret key is used somewhere else, you can use the vulnerability in the Web app to decrypt data that you get from somewhere else in the system."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.