Given the values below in the following format
Original String => Encoded Hex string
Is there a way to tell how this strings where encoded? I would like to replicate the method for any given value.
from a cgi website used to renew passwords for user accounts.
Only the strings are presented to the user, but when I choose a password, I see on the back end that the website is making an api call with the following information
Request URL:
Request Method: POST
Status Code: 200 OK
token:
newPassword: EC3261B72B9E0ABB=beyfX4Ga
I would like to know how the NewPassword field gets generated.
because I am testing the security of an internal site at my company. If I am able to generate the encoded hex string, then with a simple API call a user can choose any password instead of the ones randomly generated by the system
There isn’t enough information for us to work with here. Do you have access to the function that created these strings?
I’m not sure I understand the security concern, but any security testing should be based upon full access to the source code. Security through obscurity is not security at all.