If you spend enough time poking at web applications, you’ll eventually run into a target that handles session management poorly. You’ll intercept a request, look at the cookie, and see a massive, encrypted string.
For a lot of testers, encrypted state data is a dead end. If you can’t read it, you move on.
But if that application is relying on CBC (Cipher Block Chaining) mode without implementing an integrity check (like a MAC), that encrypted cookie isn't a dead end. It’s an attack vector.
Here is a practical, step-by-step methodology for testing web applications for CBC bit flipping vulnerabilities safely and effectively.
The Methodology: How to Test for Bit Flipping
