Can token decryption endpoint response codes variability lead to security vulnerabilities?
To clarify the question, here's our case:
We generate encrypted tokens by applying AES-CBC (256 bit) and Base64 to payload:
encrypted_token = Base64.encode(AES_CBC_256.encrypt(key, iv, payload)).
These encrypted tokens are publicly available. It's quite obvious that these tokens are Base64'd, so that's not a secret. Our web service provides an HTTP endpoint which receives encrypted token, decrypts it (via AES_CBC_256.decrypt(Base64.decode(encrypted_token)) and performs some action with it.
Decryption function implementation (let's name it decrypt_token) does some stdlib OpenSSL and Base64 invocations. Normally the endpoints responds with HTTP 200 OK. We capture all the exceptions we are aware about and respond with some specific HTTP code (say, 400 Bad Request). But unexpected exceptions might still occur (say, if someone adds some bugs to decrypt_token or in case of OpenSSL dependency update). These exceptions will lead to HTTP 500. To sum up, the endpoint might respond with 200 (in case of valid token), 400 or 500. Note that there are no any additional error details in response body or headers.
Finally, the question: is it possible for an attacker to obtain some information of tokens structure due to response codes variation? Are there any possible vector attacks? One possible enhancement is to handle all the exceptions and always responds with the same error code. Is it necessary? Are there any known related security incidents?
Thanks!
