Wade King

Wade is an OSCP and BSCP-certified senior ethical hacker at Packetlabs and a bug bounty hunter in his spare time. He specializes in pentesting web applications and spends many hours researching novel techniques for exploiting the web.

His most recent project has been researching new CBC padding oracle techniques since using it for an arbitrary account takeover in a bug bounty program for a popular gambling platform.

2025 Talk

Talk Title: CBC Padding Oracles in 2025

Talk Abstract:
CBC encryption is used in more places than you might expect. Today, developers often happily plug it into their application without understanding the ramifications. Models like ChatGPT will suggest using it if a developer is trying to build something with AES encryption. IDEs will display it first in code suggestions because it comes first alphabetically. In this talk, two new techniques will be presented. The first is a new way of getting a padding oracle without a padding error, and the second is a technique to uncover the IV and decrypt the first block, provided the IV is static and there are enough samples of distinct first blocks.