Wombat: one more Bleichenbacher attacks toolbox

Wombat is a toolkit to identify, assess and exploit padding oracles in RSA PKCS#1 v1.5 implementations (following the attack devised by Daniel Bleichenbacher in 1998, BB98).

The attack's principle is the following: when you use RSA encryption as specified in PKCS#1 v1.5, you use so-called type 2 padding. This means that a well-formed plaintext should start with 00 02 before being encrypted. So, if an attacker can distinguished between correctly-padded and incorrectly-padded messages, they can learn that a raw plaintext starts with 00 02, which tranlates into interesting inequalities. With enough interactions, the attacker can recover an encrypted message.

The attacked was originally dubbed the Million Message Attack. Yet, an attacker usually needs less interactions, especially with the improvements published afterwards (e.g. Bardou et al.).

You should only use it in a lawful manner, which includes security challenges, educational purpose or legitimate security audits.

It is being developed and maintained by Olivier Levillain and Aina Toky Rasoamanana.


Wombat's architecture is modular, in the sense that attack algorithms are completely separated from the code required to interact with the target.

Indeed, you need to write a stub to tell Wombat how to obtain the public key and how to submit altered encrypted messages.

For now, the attacks implemented are:

  • the original one (from BB98) and
  • several improvements from Bardou et al.

The source code also provides simple oracles and basic blocks to test classical behaviours:

  • TTT, FTT, TFT, FFT and FFF oracles (we follow the naming used in Bardou et al.)
  • functions to identify oracles
  • a vulnerable TCP server
  • Dockerfiles to run vulnerable TLS servers
  • a vulnerable XML Encryption implementation

Regarding the stubs, Wombat currently implements:

  • a simple TCP stub, which mostly aims at showing how stubs work
  • a TLS stub
  • XML Encryption stubs (destined to test command line tools)


Wombat was presented (or will be presented) at the following events:


Wombat is an open-source software (under BSD license). The source code is available on GitLab. The project is written in Python3.

The most recent release is v0.5.