What type of encoding is this?

zlb02327 · March 16, 2023, 6:49pm

Given the values below in the following format
Original String => Encoded Hex string
Is there a way to tell how this strings where encoded? I would like to replicate the method for any given value.

beyfX4Ga => EC3261B72B9E0ABB
DqpdBPY5 => 55E95EB7995408BB
VmQ7ynnV => 0A0550B74A70F9BA
GbLxQKg4 => 845176B7C7BC1FBB
9FPsNJiz => D0E56CB70F5116BB
kvxE7iRK => 7D1B66B7BC860FBB
sBf1GDsM => 3FE958B77F5402BB
gS6F3gnB => 1F5152B75DBCFBBA
J1vpsac6 => FBE168B73A4D12BB
vFypC8X3 => 647475B7A3DF1EBB

RandellDawson · March 16, 2023, 6:56pm

What is this for? Where are you seeing this? Is it from some problem/challenge you found on the internet?

zlb02327 · March 16, 2023, 7:12pm

from a cgi website used to renew passwords for user accounts.
Only the strings are presented to the user, but when I choose a password, I see on the back end that the website is making an api call with the following information

Request URL:
Request Method: POST
Status Code: 200 OK
token:
newPassword: EC3261B72B9E0ABB=beyfX4Ga

I would like to know how the NewPassword field gets generated.

RandellDawson · March 16, 2023, 7:18pm

Why? What does it matter how it is created as long as you can use it?

zlb02327 · March 16, 2023, 7:21pm

because I am testing the security of an internal site at my company. If I am able to generate the encoded hex string, then with a simple API call a user can choose any password instead of the ones randomly generated by the system

RandellDawson · March 16, 2023, 7:37pm

Can you not look at the API code if it is your company’s code?

zlb02327 · March 16, 2023, 8:10pm

yes, I also know the answer to my question and am just wasting everybody’s time.

RandellDawson · March 16, 2023, 8:11pm

Well, what was the answer?

zlb02327 · March 16, 2023, 8:12pm

I was being sarcastic Randell.

zlb02327 · March 16, 2023, 8:13pm

I went the route of converting my string to base64 and then from base64 to HEX. But I cannot get to the result this way

JeremyLT · March 16, 2023, 8:39pm

There isn’t enough information for us to work with here. Do you have access to the function that created these strings?

I’m not sure I understand the security concern, but any security testing should be based upon full access to the source code. Security through obscurity is not security at all.

lanceamd · March 17, 2023, 6:23am

Hi there. Without additional info I believe it is not possible to determine the hash function

JeremyLT · March 17, 2023, 1:59pm

It certainly might be possible, and someone with access to the API certainly might be able recreate the hash function.