Padding oracle attack

In cryptography, a padding oracle attack is an attack which is performed using the padding of a cryptographic message. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. Padding oracle attacks are mostly associated with CBC mode decryption used within block ciphers. Padding modes for asymmetric algorithms such as OAEP may also be vulnerable to padding oracle attacks.

In symmetric cryptography, the padding oracle attack can be applied to the CBC mode of operation, where the "oracle" (usually a server) leaks data about whether the padding of an encrypted message is correct or not. Such data can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key.

Suppose the attacker has two ciphertext blocks ${\displaystyle C_{1},C_{2}}$ and they want to decrypt the last block (get plaintext ${\displaystyle P_{2}}$). They only know that the last block ${\displaystyle C_{2}}$ is padded correctly and the padding method is PKCS7, which means that the last block is padded with ${\displaystyle n}$ bytes, each equal to n (for example: six bytes, each byte = 0x06).

...
Wikipedia