cipher-block-chaining-cbc

Cipher Block Chaining (CBC)

This vulnerability demonstrates how Cipher Block Chaining (CBC) encryption can be tampered with/without knowing the encryption key, when encryption is used without integrity protection (MAC or AEAD).

TODO image

Lets say a web app encrypts user-controlled data (e.g., username) using CBC mode and stores it in a cookie. The application trusts the decrypted data for authentication decisions.

By modifying specific bytes in the ciphertext (or IV), an attacker can control parts of the decrypted plaintext, allowing impersonation of another user (e.g., admin).

Root Cause

The application incorrectly assumes that:

Encrypted data is secure and trustworthy

However, CBC encryption provides confidentiality only, not integrity.

Key issues:

User input is encrypted and later trusted
No MAC / signature is applied
Attacker can modify ciphertext or IV
CBC decryption uses XOR with previous block (or IV)

CBC Decryption Refresher

CBC decryption works as follows:

Plaintext_Block = Decrypt(Ciphertext_Block) XOR Previous_Block

For the first block, the Previous_Block is the Initialization Vector (IV).

TODO image

Key Property

Modifying the IV modifies the first plaintext block predictably

This allows controlled plaintext manipulation without decrypting anything.

Attack Scenario

Create a user with a similar username (bdmin, zdmin, etc.)
Decode the cookie.
Read the first byte of the encrypted value to get the Initialization Vector (IV).
Compute the new IV Value using print(hex(ord('b') ^ ord('a')))
Above results as 0x3 so we again XOR this as: hex(0x3 ^ 0x18) with 0x18 being 1st byte of the cookie as hex.
Replace the IV Value with the new byte computed above.
Encode the cookie back and use it to get access to admin user.