Padding Oracle Emulator #154
Comments
|
I agree that we should set some encrypted cookie. But don't we need some login options for that? We can't set such cookie as username till person log in. So we should emulate login (but how to login without having an account?) Moreover, so many possible sites can be cloned. Some of them have login page, but others don't. We should think about all possible variants and choose the best. To be honest, right now I have no idea how to implement this emulator. |
|
I've put some thought into it, and I think we can make it more general. Our final aim is to make an emulator that attracts attacker, so we could set a |
|
@afeena If you think we should give it some more time, then we can put it on hold and implement it at last. And we can make it open for discussion so that we can get more ideas. |
|
@rnehra01 Yeah, we can start working on other tasks till we have understanding how to implement this task best :) |
|
@glaslos What do you think about this? I have some doubts that we need such functionality. |
Padding oracles are famous in cookie-based attacks.
The problem is that we need to send an encrypted cookie first to implement this type of attack. Thus this emulator doesn't fall under the category of normal
detect and emulatecategory, so what I'm thinking is that we'll send an encrypted cookie if user sends us some login data and we'll encrypt that data (maybe username and some user id something like that to make it look real), we'll detect attack only on that cookie.Once we found tampering (invalid padding), we can send
invalid paddingtype of responses.It's good to send the encrypted cookie only if some login type data is given, because sending a random encrypted cookie, won't make it look real.
@afeena please review and provide suggestions.
The text was updated successfully, but these errors were encountered: