Bleichenbacher Attack in Express with Dynamodb
Bleichenbacher Attack in Express with Dynamodb — how this specific combination creates or exposes the vulnerability
A Bleichenbacher attack is a cryptographic padding oracle technique that can be relevant in an Express API when encrypted values (such as JWTs or custom session tokens) are processed and then conditionally validated against a data store like Dynamodb. In this combination, an attacker sends carefully modified ciphertexts and observes timing differences or explicit error messages to infer validity without knowing the key. Express applications that decrypt incoming data and then perform lookups in Dynamodb based on the decrypted contents can unintentionally create an oracle: the application may return distinct responses or timing behavior depending on whether the decrypted value corresponds to a record that exists in Dynamodb.
Consider an Express route that accepts an encrypted identifier, decrypts it, and then queries Dynamodb for a user or resource. If the decryption fails or produces malformed data, the application might return a generic 400 error. If decryption succeeds but the identifier is not found in Dynamodb, the application might return a 404 or a slightly different error message. These differences allow an attacker to perform adaptive chosen-ciphertext queries, gradually recovering plaintext or session tokens. The vulnerability is not inherent to Dynamodb; it arises from the interaction between cryptographic padding validation and the conditional branching in Express logic that references Dynamodb results.
An example vulnerable Express route might decrypt a token and then immediately query Dynamodb for the associated user. Distinct timing or status responses depending on whether the Dynamodb item exists can leak information about valid identifiers. This becomes more pronounced when the decryption routine uses PKCS#7 padding and the server’s error handling exposes padding verification failures versus missing record distinctions. Attackers can automate requests to refine guesses about the plaintext, eventually recovering sensitive values such as user IDs or impersonation tokens that reference Dynamodb entries.
Dynamodb-Specific Remediation in Express — concrete code fixes
To mitigate Bleichenbacher-style risks in an Express service that uses Dynamodb, ensure that all responses are consistent regardless of whether a decrypted value maps to an existing item. Avoid branching logic that reveals existence via timing or status differences. Use constant-time comparison where applicable and ensure error handling does not distinguish between decryption failures and missing records.
Example vulnerable Express route
const crypto = require('crypto');
const { DynamoDBClient, GetItemCommand } = require('@aws-sdk/client-dynamodb');
const algorithm = 'aes-256-cbc';
const key = Buffer.from(process.env.ENCRYPTION_KEY_HEX, 'hex');
app.get('/resource/:token', async (req, res) => {
try {
const iv = Buffer.from(req.params.token.slice(0, 16), 'hex');
const ciphertext = Buffer.from(req.params.token.slice(16), 'hex');
const decipher = crypto.createDecipheriv(algorithm, key, iv);
let decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
const id = decrypted.toString('utf8');
const client = new DynamoDBClient({ region: 'us-east-1' });
const cmd = new GetItemCommand({
TableName: 'Resources',
Key: { id: { S: id } }
});
const data = await client.send(cmd);
if (!data.Item) {
return res.status(404).json({ error: 'Not found' });
}
res.json(data.Item);
} catch (err) {
if (err.name === 'DecryptError') {
return res.status(400).json({ error: 'Invalid token' });
}
res.status(500).json({ error: 'Server error' });
}
});
Remediated Express route with consistent response behavior
const crypto = require('crypto');
const { DynamoDBClient, GetItemCommand } = require('@aws-sdk/client-dynamodb');
const algorithm = 'aes-256-cbc';
const key = Buffer.from(process.env.ENCRYPTION_KEY_HEX, 'hex');
const client = new DynamoDBClient({ region: 'us-east-1' });
app.get('/resource/:token', async (req, res) => {
let id;
try {
const iv = Buffer.from(req.params.token.slice(0, 16), 'hex');
const ciphertext = Buffer.from(req.params.token.slice(16), 'hex');
const decipher = crypto.createDecipheriv(algorithm, key, iv);
let decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
id = decrypted.toString('utf8');
} catch (err) {
// Always return the same generic error for any decryption or parsing issue
return res.status(400).json({ error: 'Invalid request' });
}
try {
const cmd = new GetItemCommand({
TableName: 'Resources',
Key: { id: { S: id } }
});
const data = await client.send(cmd);
// Always use the same status and shape, regardless of existence
if (!data.Item) {
return res.status(404).json({ error: 'Not found' });
}
res.json(data.Item);
} catch (dbErr) {
// Avoid leaking details; keep responses consistent to prevent oracle behavior
res.status(400).json({ error: 'Invalid request' });
}
});
Additional remediation steps include using authenticated encryption with associated data (AEAD) such as AES-GCM to eliminate padding oracles at the cryptographic layer, and ensuring that timing differences for database lookups are minimized (e.g., by using conditional reads or caching patterns that do not vary by record existence). Never expose low-level errors or stack traces to the client, and validate and sanitize all inputs before they influence Dynamodb key expressions. These measures reduce the observable differences an attacker can use in adaptive padding oracle attempts against your Express service.