Padding Oracle Attacks
Exploitation
A padding oracle attack exploits improper padding validation in CBC (Cipher Block Chaining) mode encryption. Different error messages for "invalid padding" vs "decryption failed" allow attackers to decrypt ciphertext byte-by-byte.
How Padding Oracle Works
bash
# Padding Oracle Attack Example
# Scenario: Application uses AES-CBC and returns different errors:
# - "Invalid padding" (400 Bad Request)
# - "Decryption failed" (500 Internal Server Error)
# Attack Process:
# 1. Capture encrypted cookie/token (ciphertext)
# 2. Modify last byte of IV (initialization vector)
# 3. Send modified ciphertext to application
# 4. Observe error message:
# - If "invalid padding" → keep guessing
# - If "decryption failed" → found correct byte!
# 5. Repeat for each byte until entire plaintext recovered
# Using PadBuster tool
padbuster http://target.com/decrypt "encrypted_value" 8 -cookies "auth=encrypted_value" -encoding 0
# Manual padding oracle with Burp Intruder
# 1. Capture request with encrypted parameter
# 2. Send to Intruder
# 3. Mark last byte of ciphertext as payload position
# 4. Use Numbers payload (0-255)
# 5. Look for different response length/error message
# 6. Byte that causes different behavior reveals plaintext
# Prevention:
# - Use authenticated encryption (AES-GCM, ChaCha20-Poly1305)
# - Return same error for all decryption failures
# - Don't expose padding validation errors to usersFamous Padding Oracle Attacks
ASP.NET vulnerability (MS10-070) allowed decryption of ViewState. Also affected Ruby on Rails (2013) and many
web frameworks using AES-CBC with PKCS#7 padding.