🔥 3-day streak
CompTIA PenTest+ (PT0-003)94 / 175
Question 94 of 175

During a web application assessment, a tester notices that an authentication token is passed in a cookie as a base64-encoded, AES-CBC-encrypted blob. When the tester submits a token with a slightly altered final block, the server returns a distinct '500 Internal Server Error' (invalid padding), whereas a semantically invalid but well-padded token returns a '403 Forbidden'. The tester wants to recover the plaintext of the token without knowing the encryption key. Which attack should the tester perform?

Reviewed for accuracy · Report an issueNext question