EncryptCodecencryptcodec
Simulations/Padding Oracle

Padding Oracle Attack

Advanced

Decrypt AES-CBC ciphertext without knowing the key — using only a padding oracle. Flip bytes in the IV, query the oracle, and recover the plaintext one byte at a time.

Progress:
1
Single Byte Recovery
2
Full Block Decryption
3
Read the Secret Message
Proposed IV (click +/− to flip bytes)
1a
[0]
2b
[1]
3c
[2]
4d
[3]
5e
[4]
6f
[5]
70
[6]
81
[7]
92
[8]
a3
[9]
b4
[10]
c5
[11]
d6
[12]
e7
[13]
f8
[14]
09
[15]
Original IV (fixed):
1a2b3c4d5e6f708192a3b4c5d6e7f809
Ciphertext C1 (fixed):
08283a4b556375e39fb3b7c4d8e09b6a
0
Queries
0
Bytes found
Recovered plaintext
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
Oracle responses
Modify the IV and click Query Oracle…

Challenges

1
Single Byte Recovery
Flip IV[15] until the oracle returns VALID — recover the last byte of the plaintext.
hints
2
Full Block Decryption
Recover all 16 bytes of the plaintext by repeating the oracle attack for each byte position.
hints
3
Read the Secret Message
Run the full automated oracle attack and decrypt the hidden ciphertext.
hints
How to prevent padding oracle attacks
Authenticated encryption, MAC-then-Encrypt, and timing

Frequently Asked Questions