Thursday, March 14, 2013

Hacking the web: Exploiting CBC with Padding Oracle

The process of writing the material of a training is very organic. Not in the way where you replace meat with tofu, but rather a process of evolving the material for each new edition.

No matter how experienced a teacher can be on the subject, students learning process are different for everyone and so is their background experience. In short, building training that is effective for a large range of people is as hard as building an exploit that is effective against a large range of machines.

That's why after each edition we try to re-write what we think are the weakest parts to make the training more targeted towards how students learn best.

As a good example, last year the Web Hacking class had a Padding Oracle section. Not only it was very a novel technique, but we where seeing all kind of bad implementations on our consulting gigs that we were exploiting with this. We decide it to rush it into our class, and fit it into a two hours period. Whether most people in the class understood it and was able to exploit it at the end, we felt that they might have not have grasped the whole concept, so this year we decide it to turn it in a whole Web Crypto day.

Importantly, we decided to build an interactive framework for ECB and CBC (if you're not sure the difference, you should attend the class!), so you could understand how to exploit Padding Oracle in a Web 2.0 environment.

It was painful, but the results are looking good:

Kudos to Matias for the great work, and we are hoping to see you there in less than a month at INFILTRATE 2013's Web Hacking class!

No comments: