← Lessons

quiz vs the machine

Platinum1780

Security

The Padding Oracle Attack

How a server that reveals padding validity leaks decrypted plaintext.

5 min read · advanced · beat Platinum to climb

A Leak From Error Messages

A padding oracle is any system that tells an attacker whether a ciphertext decrypted to valid padding. With block cipher modes like CBC, that one bit of feedback is enough to recover plaintext byte by byte without the key.

How The Leak Works

  • The attacker tweaks a ciphertext block and submits it.
  • A distinct response for bad padding versus other errors reveals padding validity.
  • Repeating this with adjusted bytes uncovers each plaintext byte in turn.

Defenses

  • Use authenticated encryption so tampered ciphertext is rejected before decryption logic runs.
  • Verify a message authentication code first, and fail with a single uniform error.
  • Avoid leaking padding versus other failures through messages, timing, or status codes.

Key idea

A padding oracle leaks plaintext from validity feedback, so use authenticated encryption, check the MAC first, and return a single uniform error.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a padding oracle reveal to the attacker?

2. Which defense eliminates the oracle?