CBC PKCS7 Padding Oracle Attack engine

aes, aes-256, aes-cbc, cryptography, security, security-tools
pip install Paddown==0.1.0



PadDown is an AES CBC PKCS7 Padding Oracle Attack engine. It simplifies performing Padding Oracle Attack on a vulnerable encryption service. This is useful for both CTF and real-world attacks, where you are in possession of a ciphertext, and have a so called Padding Oracle available.


  • Using PadDown is as easy as subclassing the Paddown class overwriting the hasValidPadding(...) method retuning a bool. As argument it takes ciphertext to test against the Padding Oracle. Have your implementation return True if you receive no padding error and False otherwise.

  • Now you are ready to call .decrypt() on your class and start decrypting your ciphertext.

Examples can be found in the PadDown/examples directory.


The project can be setup with

python3 -m venv .venv
pip install -r requirements/dev.txt
pre-commit install

Pull requests

We are open to pull requests.

We use black, flake8 and isort for linting, and implement unit testing using pytest. A pre-commit configuration file has been added, for checking against these linters before comitting.

Please squash all commits when merging a pull request.


To run the unittests, simply run pytest.