Padding Oracle On Downgraded Legacy Encryption (POODLE)
POODLE
Padding Oracle On Downgraded Legacy Encryption (POODLE), as its name indicates, is a padding oracle attack that abuses the downgrading process from TLS to SSLv3.
Padding oracle attacks require the existence of an oracle, which means a way of identifying when the padding of a packet is correct. This could be as simple as a padding error response from the server. This occurs when an attacker alters the last byte of a valid message and the server responds with an error. When the message is altered and doesn't result in an error, the padding was accepted for the value of that byte. Along with the IV, this can reveal one byte of the keystream and, with that, the encrypted text can be decrypted. Let's remember that IVs need to be sent along with the packages so that the recipient knows how to decrypt the information. This works very much like a blind SQL injection attack.
To achieve this, the attacker would need to achieve a man-in-the-middle position between the client and server and have a mechanism to make the client send the malicious probes. This last requirement can be achieved by making the client open a page that contains JavaScript code that performs that work.
Kali Linux doesn't include an out-of-the-box tool to exploit POODLE, but there is a Proof of Concept(PoC) to do this by Thomas Patzke on GitHub: https://github.com/thomaspatzke/POODLEAttack. It is left to the reader to test this PoC as an exercise.
Most of the time during web application penetration testing, it will be enough for you to see the SSLScan, SSLyze, or Nmap output to know if SSLv3 is allowed, so that a server is vulnerable to POODLE; also that no more tests are required to prove this factor to convince your client to disable a protocol that has been superseded for nearly 20 years and most recently declared obsolete.
Although POODLE is a serious vulnerability for an encryption protocol such as TLS, the complexity of executing it in a real-world scenario makes it much more likely that an attacker will use techniques such as SSL Stripping (https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf) to force a victim to browse over unencrypted protocols.