Padding oracle → forge admin session cookie

§ Context

Assumed environment: target uses CBC-encrypted cookies / viewstate. Server returns observable differential on padding success vs failure (HTTP status / response body / response time).

§ Steps

1. 01
   Exfil admin dataExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Replace cookie, request /adminInitial Access

   T1078— Valid Accounts
3. 03
   Identify CBC-encrypted tokenReconnaissance

   W-RECON-FINGERPRINT— Tech Stack Fingerprinting
4. 04
   Encrypt admin payload via CBC malleabilityCredential Access

   CR-PADDING-ORACLE— Padding Oracle (CBC)
5. 05
   Decrypt cookie byte-by-byte (padbuster)Credential Access

   CR-PADDING-ORACLE— Padding Oracle (CBC)
6. 06
   Confirm padding-validity oracleCredential Access

   CR-PADDING-ORACLE— Padding Oracle (CBC)

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts

§ Frequently asked

What is the "Padding oracle → forge admin session cookie" attack path?

App encrypts session cookies with AES-CBC and reveals padding-validity via a 500/200 differential. Decrypt the cookie, forge an admin cookie, log in without credentials. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Exfil admin data (T1041) — a exfiltration primitive. Assumed environment: target uses CBC-encrypted cookies / viewstate.

What is the final impact of this kill-chain?

The final step lands on Confirm padding-validity oracle (CR-PADDING-ORACLE), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques3

  Cross-chain bridge validator-set bypass → mint wrapped tokens

  Bridge's signature-set check is off-by-one (Nomad-class) or accepts a zero address (Ronin-class). Mint wrapped tokens on the destination chain without locking on the source.

• Shared techniques3

  Reentrancy → drain vault contract

  Vulnerable withdraw() sends ETH before updating balance. Attacker contract re-enters via fallback() until the vault is empty — the canonical DAO-2016 pattern.

• Shared techniques2

  Origin IP bypass → direct attack on backend

  Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.