CBC Padding Oracles in 2025 with Wade King

CBC padding oracles are supposed to be “fixed,” but attackers are still using them to break real systems and take over accounts. In this BSides Vancouver Island talk, security researcher Wade King walks through how classic CBC padding oracle attacks work, then shows new techniques that bypass “hardened” implementations by abusing how applications read and validate decrypted data. You’ll see how subtle crypto mistakes in legacy systems and token-based authentication can quietly turn into full account takeover. This session is ideal for blue and red teamers, penetration testers, AppSec engineers, and security architects dealing with legacy crypto, custom tokens, or encryption in web apps and APIs. Key topics include: - How CBC mode and padding actually interact at the byte level - How classic CBC padding oracle attacks work in practice - “Double ciphertext” tricks that revive padding oracles even with unified error messages - Recovering first-block plaintext and IVs from struc