Generic Padding Oracle

By manipulating the padding on an encrypted string, an attacker is able to generate an error message that indicates a likely 'padding oracle' vulnerability. Such a vulnerability can affect any application or framework that uses encryption improperly, such as some versions of ASP.net, Java Server Faces, and Mono. An attacker may exploit this issue to decrypt data and recover encryption keys, potentially viewing and modifying confidential data. This rule should detect the MS10-070 padding oracle vulnerability in ASP.net if CustomErrors are enabled for that.

Padding oracle vulnerabilities allow attackers to decrypt encrypted data without knowing the encryption key by exploiting differences in error messages or timing when padding validation fails. Attackers systematically manipulate ciphertext bytes and observe whether the server returns padding errors or other errors, using this oracle to deduce plaintext one byte at a time. This attack defeats encryption schemes like AES-CBC when padding validation errors are distinguishable from other decryption failures. Successful exploitation exposes sensitive data including session tokens, passwords, and personally identifiable information that should be protected by encryption.

Use authenticated encryption modes like AES-GCM or ChaCha20-Poly1305 that provide integrity protection and eliminate padding oracle attacks. If using CBC mode encryption, ensure that padding validation errors are indistinguishable from MAC verification failures by returning generic error messages and maintaining constant timing for all decryption failures. Implement message authentication codes to verify ciphertext integrity before attempting decryption. Apply software updates addressing known padding oracle vulnerabilities like MS10-070 for ASP.NET. Return identical error responses regardless of whether padding validation, MAC verification, or other decryption steps fail. Consider migrating away from padding-based encryption schemes to modern AEAD ciphers.