The attack intends to brute force encrypted data per block, exploiting several properties of the CBC (Cipher-Block Chaining) operation mode used to encrypt data. 14 requests are necessary to decrypt each byte of data, making the attack very verbose.
The operation is similar to blind attacks techniques and successful exploitation relies on error messages sent by the server in specific circumstances.
These error messages are sent through the standard SOAP fault mechanism. This mechanism sends out two XML elements :
rWeb 4.0 can natively mitigate the attack by stripping out the
In rWeb 3.x UBT must be used to prevent multiple accesses to the same Web Service from a single source in a short amount of time.