Padding Oracle Attack

Padding Oracle Attack exploits applications that reveal whether decrypted data has valid padding. By observing different error responses, attackers can decrypt ciphertext byte-by-byte without knowing the encryption key.

How It Works

Block ciphers in CBC mode require padding (usually PKCS#7) to fill incomplete blocks. If an application returns different errors for "invalid padding" vs "invalid data," attackers can use this oracle to decrypt any ciphertext.

Attack Process

// For each byte of ciphertext, starting from the last:
1. Modify the preceding ciphertext block
2. Send to server and observe response
3. "Invalid padding" = wrong guess
4. "Invalid data" or success = correct guess
5. XOR to derive plaintext byte
6. Repeat for all bytes

// Each byte requires up to 256 attempts
// Full block (16 bytes) = ~4096 requests max

Example Scenario

// Encrypted cookie
Cookie: session=base64(IV + ciphertext)

// Normal response
HTTP 200 OK

// Modified ciphertext - invalid padding
HTTP 500 "Decryption error"

// Modified ciphertext - valid padding, invalid data
HTTP 400 "Invalid session format"

// Different responses = padding oracle!

Real-World Examples

• ASP.NET Padding Oracle (CVE-2010-3332)
• Ruby on Rails session cookies
• Java Server Faces ViewState

Prevention

• Use authenticated encryption (AES-GCM) instead of CBC
• Return identical errors for all decryption failures
• Use HMAC to verify ciphertext integrity before decryption
• Implement constant-time comparison

PentesterLab Exercises

• Padding Oracle Exercises

See Also

• Cipher Block Chaining (CBC)
• PKCS#7 Padding
• Timing Attack