Padding Oracle in Fastapi
How Padding Oracle Manifests in Fastapi
Padding Oracle attacks exploit the way FastAPI handles cryptographic padding in encrypted data, particularly when using JSON Web Tokens (JWTs) or encrypted cookies. In FastAPI applications, this vulnerability typically appears when the framework or your middleware provides detailed error messages that distinguish between padding failures and other decryption errors.
The attack vector works like this: an attacker captures an encrypted token (often a JWT or session cookie), then systematically modifies the ciphertext while observing the server's responses. When the server reveals whether padding was valid or not through response timing or error messages, the attacker can gradually decrypt the token without knowing the encryption key.
In FastAPI, this commonly occurs with:
- Default JWT implementations that expose padding error details
- Custom middleware that handles encrypted cookies without uniform error responses
- Database queries that execute differently based on padding validation success
- Authentication flows that return different HTTP status codes for padding vs. signature errors
Here's a vulnerable FastAPI implementation:
FastAPI-Specific Detection
Detecting Padding Oracle vulnerabilities in FastAPI requires examining both your code and runtime behavior. The most effective approach combines static analysis of your authentication and encryption logic with dynamic testing of error responses.
Code Review Patterns to Identify:
# Look for these vulnerable patterns in your FastAPI codebase:
# 1. Different exception handling for padding vs other errors
def vulnerable_pattern_1():
try:
data = decrypt_token(token)
return process_data(data) # Only executes if padding is valid
except InvalidSignatureError:
return error_response()
except ExpiredTokenError:
return error_response()
# 2. Timing differences in error responses
def vulnerable_pattern_2():
start = time.time()
try:
decrypted = decrypt_data(encrypted)
return success_response()
except Exception:
duration = time.time() - start
# Different handling based on failure type reveals timing info
return error_response(duration)
Runtime Detection Methods:
- Timing Analysis: Use tools like
time or curl -w to measure response times for invalid tokens. Consistent timing differences indicate padding oracle vulnerabilities. - Error Message Analysis: Test with intentionally malformed tokens and observe error messages. Look for messages that reveal whether padding validation passed or failed.
- Automated Scanning: Use middleBrick to scan your FastAPI endpoints. It tests for padding oracle vulnerabilities by sending crafted requests and analyzing response patterns.
middleBrick's approach to detecting padding oracle in FastAPI includes:
- Analyzing error response uniformity across different failure types
- Measuring response time variations for crafted payloads
- Testing authentication endpoints with manipulated JWTs and encrypted cookies
- Checking for database query execution differences based on padding validation
Here's how you might use middleBrick to scan a FastAPI application:
# Scan your FastAPI API with middleBrick
middlebrick scan https://your-fastapi-app.com/api/
# Or use the CLI for detailed output
middlebrick scan --format=json --output=report.json \
https://your-fastapi-app.com/auth/token
The scanner specifically looks for FastAPI's default error handling patterns and identifies where padding validation leaks information through timing or error messages.
FastAPI-Specific Remediation
Fixing Padding Oracle vulnerabilities in FastAPI requires implementing uniform error handling and constant-time operations. The goal is to ensure that all error paths take the same amount of time and return identical responses regardless of the failure reason.
Implementation Strategy:
- Uniform Error Responses: Always return the same HTTP status code and error message for all authentication/authorization failures.
- Constant-Time Comparisons: Use constant-time comparison functions for all cryptographic operations.
- Early Return Elimination: Structure code to avoid conditional execution paths based on padding validation.
- Rate Limiting: Implement rate limiting on authentication endpoints to slow down oracle attacks.
Secure FastAPI Implementation:
from fastapi import FastAPI, HTTPException
from jose import jwt
from cryptography.hazmat.primitives import constant_time
import time
import os
app = FastAPI()
SECRET_KEY = os.getenv("SECRET_KEY")
ALGORITHM = "HS256"
# Secure pattern: uniform error handling
@app.post("/api/secure/")
def secure_endpoint(token: str):
start_time = time.time()
try:
# Always attempt full validation
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
# Use constant-time comparison for sensitive checks
if constant_time.bytes_eq(
payload.get("user_id", "").encode(),
"admin".encode()
):
# Uniform processing regardless of outcome
result = process_admin_data()
else:
result = process_user_data(payload.get("user_id"))
except Exception:
# Always return same response
result = {"error": "authentication_failed"}
# Constant response time
elapsed = time.time() - start_time
if elapsed < 0.2: # Minimum response time
time.sleep(0.2 - elapsed)
return result
# Secure JWT verification with constant-time validation
def secure_jwt_verify(token: str):
try:
# Use a secure JWT library that implements constant-time operations
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
# Always perform all validation steps, even if one fails
# (use a library that doesn't short-circuit on first failure)
return payload
except Exception:
# Uniform failure - never reveal which check failed
raise HTTPException(
status_code=401,
detail="Invalid authentication credentials"
)
# Rate limiting middleware for authentication endpoints
from fastapi.middleware import RateLimitMiddleware
from slowapi import Limiter, _rate_limit_exceeded_handler
from slowapi.util import get_remote_address
limiter = Limiter(key_func=get_remote_address)
app.add_middleware(
RateLimitMiddleware,
db=limiter.limit("5/minute;1/hour;1/day")
)
Additional Security Measures:
- Use Secure JWT Libraries: Choose libraries that implement constant-time operations and uniform error handling.
- Implement API Rate Limiting: Use FastAPI middleware to limit authentication attempts.
- Add Monitoring: Log authentication failures and monitor for unusual patterns.
- Regular Security Scanning: Use middleBrick's continuous monitoring to detect new vulnerabilities.
By implementing these patterns, you eliminate the information leakage that makes padding oracle attacks possible in FastAPI applications.
Frequently Asked Questions
How can I test my FastAPI application for padding oracle vulnerabilities?
Use middleBrick to scan your FastAPI endpoints - it automatically tests for padding oracle by sending crafted requests and analyzing response patterns. You can also manually test by measuring response times for intentionally malformed JWTs and checking if error messages reveal padding validation status.Does FastAPI have built-in protection against padding oracle attacks?
No, FastAPI does not have built-in padding oracle protection. You need to implement secure error handling, constant-time operations, and uniform response patterns yourself. The vulnerability depends on how you implement authentication and error handling in your specific application.