A few weeks ago we released PadBuster, a tool for automating padding oracle exploits. Today we have released version 0.2, which includes some bug fixes and a few enhancements that are summarized below:
- Support for HTTP Basic Authentication and HTTP/S Proxies
- Encoding for .NET UrlTokens (essentially a web-safe Base64 encoding)
- Logic for handling samples that do not include an IV (or use a NULL IV)
The .NET UrlToken encoding and NULL IV options are both especially useful when running PadBuster against sites that are vulnerable to the recent .NET Padding Oracle attack. There are also new options for running the tool in interactive mode (good for troubleshooting) and resuming a previous decryption in the event that the script gets killed in the middle of decrypting a large sample.
As with the previous version, feel free to provide feedback on potential improvements you would like to see. Version 0.3 is already in the works and promises to have more cool features.