The Padding Oracle Attack makes use of the fact that during encryption individual blocks must always be 8 or 16 bytes long. In order to meet this requirement it is usually necessary to pad out the final block with additional bytes. There are various methods of performing this padding, some of which facilitate cracking. This is where Padding Oracle – essentially a program or service which uses a status message to indicate whether the padding in a received packet is valid – comes into play. This is exactly what the JSF framework does.