Bleichenbacher Attack in Fiber (Go)

The Bleichenbacher attack exploits improper PKCS#1 v1.5 padding validation in RSA decryption, enabling chosen-ciphertext attacks against TLS-secured services. When Fiber— a Go-based web framework— handles encrypted communications using TLS 1.2 or earlier, and relies on Go's crypto/tls for server configuration, the default padding validation behavior can inadvertently expose this vulnerability if not correctly hardened. This is particularly relevant when Fiber applications serve JSON over HTTPS and use middleware that proxies requests to upstream services performing RSA decryption, such as OAuth token exchanges or legacy payment gateways.

Fiber itself does not implement cryptographic padding validation, but applications built on Fiber may inherit vulnerable patterns from underlying Go HTTP servers or from downstream services they interact with. For instance, if a Fiber endpoint accepts encrypted client payloads (e.g., JWTs or API keys wrapped in RSA), and the application forwards these to a service that performs PKCS#1 v1.5 decryption without constant-time validation, the response timing or structure can leak information about padding validity. This creates a side-channel that enables Bleichenbacher-style attacks.

Consider a Fiber route that receives an encrypted request body, decodes it using a custom middleware that leverages Go's crypto/rsa for decryption, and then processes the payload. If this middleware uses a vulnerable implementation like:

func decryptPKCS1(ciphertext []byte) ([]byte, error) {
    block, err := rsa.DecryptOAEP(sha1.New(), nil, privateKey, ciphertext)
    if err != nil {
        return nil, err
    }
    return block, nil
}

and the error response varies based on whether padding is malformed versus structurally invalid, attackers can distinguish between valid and invalid ciphertexts through observed responses. In Fiber, this might manifest as different HTTP status codes or response bodies—such as "400 Bad Request" for padding errors versus "500 Internal Server Error" for structural failures—providing a timing and error-based side channel.

While Fiber supports TLS 1.3 by default in modern versions, many deployments still run on TLS 1.2 due to compatibility constraints, especially when interfacing with older enterprise systems. In TLS 1.2, the ServerHello and subsequent RSA key exchange are vulnerable if padding validation is not constant-time. Fiber’s underlying net/http server inherits Go’s TLS config settings, so developers must explicitly enforce security controls. For example:

config := &tls.Config{
    MinVersion:               tls.VersionTLS13,
    CurvePreferences:         []tls.CurveID{tls.X25519, tls.CurveP256},
    PreferServerCipherSuites: true,
    CipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    },
}

http.ListenAndServe(":443", tls.NewServer(
    config,
    &fiber.App{},
))

Using TLS 1.3 eliminates RSA key exchange entirely in favor of ECDHE, removing the Bleichenbacher vulnerability at the protocol level. However, if the application still performs RSA-based encryption at the application layer—such as encrypting auth tokens with a public key—then padding validation flaws in custom crypto logic reintroduce the risk. This is common in Fiber APIs that integrate with payment processors or identity providers using RSA-wrapped credentials.

To detect exposure, middleBrick scans Fiber endpoints for unauthenticated access to encrypted payload handlers and tests for inconsistent error responses under malformed ciphertexts. It checks whether error messages leak padding information and whether TLS versions below 1.3 are enabled. The attack surface arises not from Fiber’s framework design but from how developers implement cryptographic operations above it, especially when combining Go’s standard library crypto primitives with Fiber’s middleware pipeline.

Additionally, Fiber’s support for OpenAPI 3.0 allows automated spec analysis to identify routes that accept encrypted inputs without documented deprecation or mitigation strategies. If a spec defines a requestBody with content-encoding: gzip and content-security: encrypted, middleBrick flags this as a potential Bleichenbacher vector if encryption is applied manually rather than relying on TLS. The scanner correlates runtime behavior with OpenAPI definitions to assess if the attack surface is properly bounded.

In summary, the combination of Fiber and Go does not inherently introduce Bleichenbacher vulnerabilities, but it amplifies exposure when developers implement custom RSA decryption logic without constant-time guarantees or when relying on outdated TLS configurations. The scanner identifies these patterns by analyzing endpoint behavior, request structure, and TLS negotiation metadata, providing prioritized findings with remediation guidance aligned to OWASP API Top 10 category A01:2023—Broken Access Control, and A06:2023—Vulnerable and Outdated Components.

Remediation requires replacing PKCS#1 v1.5 decryption with constant-time safe alternatives or migrating to modern key exchange mechanisms. In Go, this means avoiding direct use of rsa.Decrypt without constant-time guarantees and ensuring error responses do not differentiate between padding failures and other decryption errors.

Use OAEP padding with a cryptographically secure hash and ensure error messages are uniform. For example:

func decryptSafe(ciphertext []byte) ([]byte, error) {
    block, err := rsa.DecryptOAEP(sha256.New(), nil, privateKey, ciphertext)
    if err != nil {
        // Always return generic error to avoid leakage
        return nil, fmt.Errorf("decryption failed")
    }
    return block, nil
}

Additionally, enforce TLS 1.3 at the server level and disable TLS 1.2 entirely if possible. In Fiber, this is done via the underlying HTTP server config as shown earlier. Never implement custom padding checks that vary in error type or message length.

For applications that must interact with RSA-wrapped services (e.g., OAuth token exchange), validate the structure of incoming encrypted payloads before decryption and reject malformed inputs early with identical error responses. Use libraries that provide constant-time comparison functions, such as crypto/subtle, when comparing decrypted outputs.

Example of safe error handling in a Fiber route:

app.Post("/auth/exchange", func(c *fiber.Ctx) error {
    var encryptedPayload struct { Ciphertext []byte `json:"ciphertext"` }
    if err := c.BodyParser(&encryptedPayload); err != nil {
        return c.Status(400).JSON(fiber.Map{"error": "invalid request"})
    }

    decrypted, err := decryptSafe(encryptedPayload.Ciphertext)
    if err != nil {
        return c.Status(400).JSON(fiber.Map{"error": "invalid payload"})
    }

    // Proceed with processing
    return c.JSON(fiber.Map{"plaintext": string(decrypted)})
})

This ensures that both padding errors and invalid ciphertext structures result in the same HTTP response, eliminating timing and error-based leakage. Pair this with automated scanning via middleBrick to validate that no Bleichenbacher-compatible error variations persist in production endpoints.