<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
So padding oracle vulnerabilities are still everywhere, and still
quite interesting, and also quite hard to teach. We have a module in
the upcoming <a href="http://infiltratecon.com/training.html">INFILTRATE
WebHacking class</a>, and I have to admit, as we read the slides
and looked over the exercises today I was left thinking "I have no
idea how long this module is going to take to teach". Because if
your mind is twisted in the right direction, it makes perfect sense.
You decrypt the captcha, and then you move on and decrypt the login
exercise, and it all goes smoothly. No more than an hour. <br>
<br>
But I could also see spending all day on it if your brain wasn't
contorted correctly. And it'd be worth it at the end, because you'll
have root on a lot of boxes you didn't have earlier (which is the
basic definition of success).<br>
<br>
-dave<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
INFILTRATE 2012 January 12th-13th in Miami - the world's best offensive information security conference.
<a class="moz-txt-link-abbreviated" href="http://www.infiltratecon.com">www.infiltratecon.com</a>
</pre>
</body>
</html>