Given the values below in the following format
Original String => Encoded Hex string
Is there a way to tell how this strings where encoded? I would like to replicate the method for any given value.
beyfX4Ga => EC3261B72B9E0ABB
DqpdBPY5 => 55E95EB7995408BB
VmQ7ynnV => 0A0550B74A70F9BA
GbLxQKg4 => 845176B7C7BC1FBB
9FPsNJiz => D0E56CB70F5116BB
kvxE7iRK => 7D1B66B7BC860FBB
sBf1GDsM => 3FE958B77F5402BB
gS6F3gnB => 1F5152B75DBCFBBA
J1vpsac6 => FBE168B73A4D12BB
vFypC8X3 => 647475B7A3DF1EBB
from a cgi website used to renew passwords for user accounts.
Only the strings are presented to the user, but when I choose a password, I see on the back end that the website is making an api call with the following information
Request URL:
Request Method: POST
Status Code: 200 OK
token:
newPassword: EC3261B72B9E0ABB=beyfX4Ga
I would like to know how the NewPassword field gets generated.
because I am testing the security of an internal site at my company. If I am able to generate the encoded hex string, then with a simple API call a user can choose any password instead of the ones randomly generated by the system
yes, I also know the answer to my question and am just wasting everybody’s time.
I was being sarcastic Randell. 
I went the route of converting my string to base64 and then from base64 to HEX. But I cannot get to the result this way
There isn’t enough information for us to work with here. Do you have access to the function that created these strings?
I’m not sure I understand the security concern, but any security testing should be based upon full access to the source code. Security through obscurity is not security at all.
Hi there. Without additional info I believe it is not possible to determine the hash function
It certainly might be possible, and someone with access to the API certainly might be able recreate the hash function.
This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.