Padding Oracle with Api Keys
How Padding Oracle Manifests in Api Keys
Padding Oracle attacks exploit the way cryptographic systems handle padding errors during decryption. In API contexts, this vulnerability often appears when encryption keys are used to protect sensitive data like API keys, authentication tokens, or configuration secrets. The attack works by sending modified ciphertexts to the server and observing whether decryption succeeds or fails, allowing attackers to gradually decrypt the original message without knowing the key.
API keys are particularly vulnerable when they're stored or transmitted in encrypted form using block ciphers like AES in CBC mode. The classic padding oracle scenario occurs when an API endpoint returns different error messages or response times depending on whether the padding of a decrypted API key is valid. For example, if an API receives an encrypted API key in a header and responds with "Invalid API key" versus "Malformed request" based on padding validity, an attacker can exploit this timing difference to decrypt the key byte by byte.
Consider this vulnerable pattern in a Node.js API:
const crypto = require('crypto');
function decryptApiKey(encrypted) {
try {
const iv = encrypted.slice(0, 16);
const ciphertext = encrypted.slice(16);
const decipher = crypto.createDecipheriv(
'aes-256-cbc',
process.env.API_KEY_ENCRYPTION_KEY,
iv
);
let decrypted = decipher.update(ciphertext, 'base64', 'utf8');
decrypted += decipher.final('utf8');
// No constant-time comparison
if (decrypted.length % 16 !== 0) {
throw new Error('Invalid padding');
}
return decrypted;
} catch (err) {
// Different response based on padding error
if (err.message.includes('padding')) {
return null; // Invalid padding
} else {
return false; // Invalid key
}
}
}The vulnerability here is that the error handling distinguishes between padding errors and other decryption failures. An attacker can send modified ciphertexts and observe whether the response indicates padding issues, gradually working toward the original API key. This is especially dangerous when API keys grant access to multiple services or have broad permissions.
Another manifestation occurs in JWT validation. When APIs use encrypted JWTs for API key management, improper error handling can leak padding oracle information:
function validateEncryptedJwt(token) {
try {
const [encryptedHeader, encryptedPayload, signature] = token.split('.');
const header = decrypt(encryptedHeader);
const payload = decrypt(encryptedPayload);
// Vulnerable: different errors for different failures
if (!header || !payload) {
return { valid: false, reason: 'Invalid token' };
}
return { valid: true, payload };
} catch (err) {
if (err.name === 'JsonWebTokenError') {
return { valid: false, reason: 'Invalid signature' };
} else if (err.name === 'TokenExpiredError') {
return { valid: false, reason: 'Token expired' };
}
// Padding errors fall through here
return { valid: false, reason: 'Malformed token' };
}
}The key insight is that any API that processes encrypted API keys or tokens must handle decryption errors in a way that doesn't reveal whether the failure was due to padding, invalid format, or incorrect key material.
API Keys-Specific Detection
Detecting padding oracle vulnerabilities in API keys requires both static analysis and dynamic testing. The most effective approach combines code review with automated scanning tools that can identify the specific patterns where padding oracle attacks can occur.
Static analysis should look for these red flags in API key handling code:
// Vulnerable patterns to flag
if (err.message.includes('padding')) { ... }
if (err.name === 'SyntaxError') { ... }
if (decrypted.length % block_size !== 0) { ... }
if (decrypted.slice(-1) !== padding_byte) { ... }
Dynamic testing with tools like middleBrick can automatically detect padding oracle vulnerabilities by sending crafted ciphertexts and analyzing response patterns. middleBrick's black-box scanning approach tests the unauthenticated attack surface without requiring credentials, making it ideal for security assessment.
middleBrick specifically checks for padding oracle vulnerabilities by:
- Testing encrypted API key endpoints with modified ciphertexts
- Analyzing response timing differences between valid and invalid padding
- Checking for inconsistent error messages that reveal decryption state
- Verifying that API endpoints handle decryption errors uniformly
- Scanning for vulnerable cryptographic libraries and configurations
During a scan, middleBrick tests multiple attack vectors:
const testVectors = [
// Modify last byte of ciphertext
modifyCiphertext(ciphertext, offset => offset === ciphertext.length - 1),
// Flip bits in IV
modifyCiphertext(ciphertext, (offset, byte) => byte ^ 0xFF),
// Remove padding bytes
removePadding(ciphertext),
// Add extra padding
addPadding(ciphertext)
];The scanner analyzes whether responses vary based on these modifications, which would indicate a padding oracle vulnerability. middleBrick's LLM security module also checks for AI-specific padding oracle scenarios where model inputs might be encrypted or padded in ways that could leak information.
Manual testing should include:
- Sending API requests with encrypted API keys where the last byte of ciphertext is modified
- Measuring response times for different ciphertext variations
- Checking if error messages differ between padding failures and other errors
- Testing whether the same error is returned for all decryption failures
middleBrick's API security scanning provides a security score (A–F) based on these findings, with specific findings for padding oracle vulnerabilities including severity levels and remediation guidance.
API Keys-Specific Remediation
Remediating padding oracle vulnerabilities in API key systems requires both architectural changes and careful implementation of constant-time error handling. The most effective approach is to eliminate CBC mode encryption entirely in favor of authenticated encryption modes that don't suffer from padding oracle issues.
For API keys that must be encrypted, use AES-GCM instead of CBC mode:
const crypto = require('crypto');
function encryptApiKey(apiKey) {
const algorithm = 'aes-256-gcm';
const iv = crypto.randomBytes(12);
const key = process.env.API_KEY_ENCRYPTION_KEY;
const cipher = crypto.createCipher(algorithm, key);
cipher.setAAD(Buffer.from('api-key-encryption', 'utf8'));
cipher.setIV(iv);
let encrypted = cipher.update(apiKey, 'utf8', 'base64');
encrypted += cipher.final('base64');
const authTag = cipher.getAuthTag();
return Buffer.concat([iv, authTag, Buffer.from(encrypted, 'base64')]).toString('base64');
}
function decryptApiKey(encrypted) {
try {
const data = Buffer.from(encrypted, 'base64');
const iv = data.slice(0, 12);
const authTag = data.slice(12, 28);
const ciphertext = data.slice(28);
const decipher = crypto.createDecipher('aes-256-gcm', process.env.API_KEY_ENCRYPTION_KEY);
decipher.setAAD(Buffer.from('api-key-encryption', 'utf8'));
decipher.setIV(iv);
decipher.setAuthTag(authTag);
let decrypted = decipher.update(ciphertext.toString('base64'), 'base64', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
} catch (err) {
// Constant-time failure: never reveal why decryption failed
return null;
}
}The key improvements here are using GCM mode (which provides authentication) and implementing constant-time error handling that never reveals whether decryption failed due to authentication, padding, or other reasons.
If you must use CBC mode for legacy reasons, implement these mitigations:
function constantTimeDecrypt(encrypted) {
try {
const iv = encrypted.slice(0, 16);
const ciphertext = encrypted.slice(16);
const decipher = crypto.createDecipheriv(
'aes-256-cbc',
process.env.API_KEY_ENCRYPTION_KEY,
iv
);
let decrypted = decipher.update(ciphertext, 'base64', 'utf8');
decrypted += decipher.final('utf8');
// Constant-time padding validation
const paddingLength = decrypted.charCodeAt(decrypted.length - 1);
const expectedPadding = String.fromCharCode(paddingLength).repeat(paddingLength);
// Use constant-time comparison
const paddingValid = constantTimeEquals(
decrypted.slice(-paddingLength),
expectedPadding
);
if (!paddingValid) {
throw new Error('Invalid token');
}
return decrypted.slice(0, -paddingLength);
} catch (err) {
// Always return the same error type
return null;
}
}
function constantTimeEquals(a, b) {
if (a.length !== b.length) return false;
let result = 0;
for (let i = 0; i < a.length; i++) {
result |= a.charCodeAt(i) ^ b.charCodeAt(i);
}
return result === 0;
}For API key storage and transmission, consider these additional best practices:
- Use HMAC for API key validation instead of encryption when possible
- Implement rate limiting to slow down padding oracle attacks
- Use constant-time comparison for all API key validation
- Add random delays to responses to prevent timing analysis
- Log and monitor for suspicious decryption failure patterns
middleBrick's remediation guidance specifically recommends these patterns and can verify that implementations properly handle decryption errors without leaking padding oracle information.