Skip to content

Fix issue #113: Prevent PaddingOracleAttacker from running endlessly #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix issue #113: Prevent PaddingOracleAttacker from running endlessly #136

wants to merge 1 commit into from

Conversation

ic0ns
Copy link
Contributor

@ic0ns ic0ns commented Jun 27, 2025

Summary

  • Add early termination conditions to prevent endless execution when testing unresponsive servers
  • Add maximum runtime limit to ensure the probe completes within reasonable time
  • Improve error handling to continue testing other cipher suites when individual tests fail

Fixes #113

This PR addresses the issue where PaddingOracleAttacker can run for hours while producing thousands of warnings when testing certain targets.

Changes Made

PaddingOracleAttacker.java

  • Added MAX_CONSECUTIVE_FAILURES constant (20) - stops testing after 20 consecutive fingerprint extraction failures
  • Added MAX_FAILURE_RATE constant (0.75) - stops testing when more than 75% of attempts fail (after at least 10 attempts)
  • Added failure tracking logic in createVectorResponseList() method
  • Added informative logging about failure statistics

PaddingOracleProbe.java

  • Added MAX_PROBE_RUNTIME_MS constant (20 minutes) - ensures probe completes in reasonable time
  • Added runtime checks before processing each cipher suite and during extended evaluation
  • Added try-catch blocks to handle individual test failures gracefully without stopping the entire probe

PaddingOracleProbeTest.java

  • Added unit tests for the probe's basic functionality and configuration

Test Plan

  • Code compiles successfully
  • Code formatting applied with spotless
  • Added unit tests for probe configuration
  • Manual testing with problematic servers (requires access to specific test targets)

Notes

The fix uses a two-pronged approach:

  1. Failure detection: Stops early when too many consecutive failures occur or the overall failure rate is too high
  2. Time limit: Enforces a maximum runtime to prevent the probe from running indefinitely

This ensures the scanner remains responsive even when testing servers with connectivity issues or other problems that prevent successful fingerprint extraction.

Fix issue #113: Prevent PaddingOracleAttacker from running endlessly
5710268 
- Add early termination conditions in PaddingOracleAttacker:
  - Stop after 20 consecutive fingerprint extraction failures
  - Stop when failure rate exceeds 75% after processing at least 10 vectors
- Add maximum runtime limit of 20 minutes in PaddingOracleProbe
- Add try-catch blocks in PaddingOracleProbe to handle individual test failures gracefully
- Log statistics about failures to help diagnose connectivity issues

This prevents the scanner from appearing to hang when testing servers that
are unresponsive or have connectivity issues.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PaddingOracleAttacker runs endlessly(?) while producing thousand of warnings
1 participant
@ic0ns