Padding Oracle Attacker
A CLI tool and library to execute padding oracle attacks easily, with support for concurrent network requests and an elegant UI.
Demo
The tool features an elegant terminal UI that shows real-time progress of the attack:
Installation
Bash
npm i -g padding-oracle-attackeror use npx to run without installing:
Bash
npx padding-oracle-attackerCLI Usage
Decrypt a value:
Bash
poattack decrypt -u "http://localhost:2020/decrypt?ciphertext=$" "Gw3kg8e3hM6TO3l5Encrypt a value:
Bash
poattack encrypt -u "http://localhost:2020/decrypt?ciphertext=$" "secret str"Library API
Use as a library in your Node.js projects:
TypeScript
import { decrypt, encrypt } from 'padding-oracle-attacker'
// Decrypt ciphertext
const plaintext = await decrypt(ciphertext, {
blockSize: 16,
isVulnerable: async (data) => {
const response = await fetch('http://target/decrypt?ct=' + data.toString('base64'))
return response.status === 200
}
})
// Encrypt plaintext
const encrypted = await encrypt('secret message', {
blockSize: 16,
isVulnerable: async (data) => {
// ... vulnerability oracle
}
})Features
- Support for concurrent network requests for faster attacks
- Elegant real-time terminal UI
- Can be used as both CLI tool and library
- Written in TypeScript with full type definitions
- MIT Licensed
Stats
220+ stars on GitHub • MIT License • TypeScript 91.3%