The Register today released an article about the Padding Oracle Exploitation Tool, or POET for short. Researchers Juliano Rizzo and Thai Duong released a paper in February concerning vulnerabilities found in web development platforms, and also spoke about them at the April 2010 Blackhat EU conference. According to their findings:
We show that widely used web development frameworks and web sites are using encryption wrongly that allow attackers to read and modify data that should be protected. It has been known for years in cryptography community that encryption is not authentication. If encrypted messages are not authenticated, data integrity cannot be guaranteed which makes systems vulnerable to practical and dangerous chosen-ciphertext attacks.
The duo went one step further today and released a tool, called POET, that actually performs the exploit. According to The Register:
Poet exploits a well-known vulnerability in the way many websites encrypt text stored in cookies, hidden HTML fields and request parameters. The text is designed to help servers keep track of purchases, user preferences and other settings while at the same time ensuring account credentials and other sensitive data can’t be intercepted. By modifying the encrypted information and sending it back to the server, the attackers can recover the plaintext for small chunks of the data, allowing them to access passwords and restricted parts of a webserver.
The video above is an example of Poet in action. Because there is no authentication, data can be decoded and altered on the fly. According to their Black Hat EU presentation, Apache MyFaces, SUN Mojarra, and Ruby On Rails are some of the development frameworks that are susceptible to this type of attack. If you are using these development platforms, you should really check into this.