padding-oracle-anti-pattern
Installation
SKILL.md
Padding Oracle Anti-Pattern
Severity: High
Summary
Applications leak padding correctness during decryption through different error messages ("Invalid Padding" vs. "Decryption Failed") or timing differences. Attackers manipulate ciphertext and observe responses to decrypt entire messages byte-by-byte without knowing the key, breaking confidentiality.
The Anti-Pattern
The anti-pattern is using CBC mode and returning different responses based on decryption error type.
BAD Code Example
# VULNERABLE: The decryption function returns different error messages.
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives import padding
from flask import request