CBC Bit Flipping Attack

CBC Bit Flipping Attack exploits the chaining property of CBC mode encryption. By flipping bits in one ciphertext block, an attacker can make predictable changes to the next decrypted plaintext block, potentially modifying data like user roles or amounts.

How CBC Works

Encryption:
C[i] = Encrypt(P[i] XOR C[i-1])

Decryption:
P[i] = Decrypt(C[i]) XOR C[i-1]

// Key insight: modifying C[i-1] affects P[i]

Attack Principle

// If we know the plaintext P[i] at some position:
// And we want it to become P'[i]:

// Modify C[i-1] by XORing with:
C'[i-1] = C[i-1] XOR P[i] XOR P'[i]

// Result after decryption:
P'[i] = Decrypt(C[i]) XOR C'[i-1]
      = Decrypt(C[i]) XOR C[i-1] XOR P[i] XOR P'[i]
      = P[i] XOR P[i] XOR P'[i]
      = P'[i]  ✓

Example Attack

// Encrypted cookie contains:
// Block 1: "user=bob;admi"
// Block 2: "n=false;time="

// To change "admin=false" to "admin=true;":
// Flip bits in Block 1 to affect Block 2

// Original byte: 'f' (0x66)
// Target byte:   't' (0x74)
// XOR mask: 0x66 XOR 0x74 = 0x12

// Modify corresponding byte in Block 1
// Block 2 now decrypts with "admin=true;"

Trade-off

The block you modify (C[i-1]) decrypts to garbage. Attackers must ensure this doesn't break parsing or is in a non-critical field.

Prevention

• Use authenticated encryption (AES-GCM)
• Add HMAC over ciphertext (encrypt-then-MAC)
• Validate data integrity before processing

PentesterLab Exercises

• CBC Exercises

See Also

• Cipher Block Chaining (CBC)
• Padding Oracle Attack
• Galois/Counter Mode (GCM)