nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Melbourne hacker adds padding oracle to free popular hacker course

PentesterLab chomps crypto

By Darren Pauli, 12 Dec 2016

Melbourne security bod Louis Nyffenegger has updated his popular PentesterLab security testing platform allowing hackers to learn how to detect padding oracles.

Nyffenegger launched the education platform in 2013 allowing users to tackle free practical and theory courses, and giving enterprises the option to pay for licences.

Padding oracles are functions of applications which decrypt encrypted data and leak the validity of padding after decryption. It allows attackers to decrypt encrypted and encrypted data without knowing the relevant key permitting leaking of sensitive data and possible privilege escalation vulnerabilities.

Nyffenegger, now with FitBit, says wrote the four hour course part of his Capture-The-Flag badge.

Students will work through padding oracles in a course detailing exploitation of a simulated PHP website which uses Cipher Block Chaining to encrypt user data for authentication.

"When an application decrypts encrypted data, it will first decrypt the data, then it will remove the padding. During the cleanup of the padding, if an invalid padding triggers a detectable behaviour, you have a padding oracle," Nyffenegger says.

"The detectable behaviour can be an error, a lack of results, or a slower response.

"If you can detect this behaviour, you can decrypt the encrypted data and even re-encrypt the cleartext of your choice."

Users can take the in-depth courses offline for free, or pay for the online variant that comes with some extra classes. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing