Two researchers have released a tool which can be used to crack web server-encrypted session data contained in cookies and parameters hidden in HTML pages. The method used by Juliano Rizzo and Thai Duong's Padding Oracle Exploitation Tool (Poet) can also be used to crack CAPTCHAS.
Poet utilises the Padding Oracle AttackPDF, first discovered in 2002, to decrypt cypher block chaining (CBC) mode encrypted data without the key. Web applications such as those generated using the popular JavaServer Faces framework (JSF) are affected.

The Padding Oracle Attack makes use of the fact that during encryption individual blocks must always be 8 or 16 bytes long. In order to meet this requirement it is usually necessary to pad out the final block with additional bytes. There are various methods of performing this padding, some of which facilitate cracking. This is where Padding Oracle

The link for this article located at H Security is no longer available.