Cryptography Padding Oracle Attacks

Stepping through understanding padding on block cipher algorithms AES, 3DES in Electronic Code Block (ECB and Cipher Block Chaining (CBC) modes. Decryption of session cookie is of a vulnerable webapps via Oracle Attack.

Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.

Understanding Padding

Padding is adding data in series to either the beginning middle or end of a message prior to encryption.

in cryptography block cipher algorithms such as AES, 3DES in electronic code block and cipher block chaining mode requires that input be the exact same block size on adjacent sides. Thus is a plaintext is not the same size of the block the extra data used is referred to as the padding which is before the encryption.

when an application attempts to decrypt a cipher text it must know how to remove the padding.

the cons of these two modes:

  • CBC mode can leak the information if handed poorly
  • ECB mode can leak the same cipher text block

Two Types of Padding Standards

Public Key Cryptography Standards

  • PKCS #7 - current used standard - allows block sizes up to 255
  • PKCS #5 - prior standard only applicable for 8 byte blocks

Note: Padding will be composed of the same number as equals the number the bytes required

Example 1

Encrypting “Iamplaintext” plaintext with DES encryption in ECB mode

Encryption of DES the block size is 64bits Blocks broke into equal 8 blocks there are 4 empty blocks delineated by the “?” in the second block

Example 2

As the padding is added via the PKCS #7 where where bytes are missing they are replaced the the byte number.

“0x01” (one byte missing and padding added) “0x02” (two byes missing and padding added) “0x03” (three bytes were missing and padding added)

During the decryption process the application first decrypts the data then the padding. As the padding is sequenced by changing padding can cause an attack can depict the encrypted data by providing plaintext.

Padding Oracle Attack

AES encryption is broken into 16bit block sizes

an attacker can create an oracle using ? = 0x01 ^ X which returns as valid via XOR.

Since the last byte can have up to 256 values an attacker can manipulate the n - y block until all the possibilities have occurred or when padding written is valid (using x02, x03… etc)

By using pass field response the value can guessed and later the data can be decrypted.

Detecting Vulnerable Service

Can be accomplished by inspecting the following attributes:

  • cookies - (logging into a service and evaluating cookie - value/length of cookie is the same)
  • request parameters - (can look like random values or ciphertext, remove one or more characters and analyze the response)
  • Hidden field values

In these instances the application could have a padding oracle if an error is thrown when manipulating the value sizes. Further more cookie values can be inspected against base64 if the output looks random and the length is a multiple of a common block cipher size can identify a padding oracle.


Web application running that displays a username when the cookie length is not sufficient.

Decrypting the data to gain administrator access by create a user xxxx and password

cookie created with the name PadOrc

Inspect the cookie length

by removing a character from the sequence and replacing with cookie on webpage the server throws an error:


Automated script for performing Padding Oracle Attacks Github:


padbuster "gNA.......2BJ" 8  -cookie "padOrc=gNA.......2BJ" -error "Padding is altered"

Completed attack:

Admin user cookie as we have the admin user name we can pass the flag “plaintext” and attain an admin cookie.


padbuster "gNA.......2BJ" 8  -cookie "padOrc=gNA.......2BJ" -error "Padding is altered" -plaintext "user=prodigiosMind"

Completed attack:

ciphertext of administrator account cookie discovered.

Pass as cookie on browser:

Page refreshed:

video source reference: