Quantify Cyber Risk Now

header ads

Client Side HTTP Traffic Encryption Bypass | Dinesh Sharma | Lucideus


Introduction: This article will give us a simple method to bypass the client-side encryption instead of decrypting it. For this article, no coding knowledge is required. The only thing which is required is a basic understanding of the web browser. There are already a few methods available to decrypt the client-side encryption like finding key, IV and by using them in python code, the client-side traffic can be decrypted. But here in this article, we will not be writing any single line of code. We will only use the developer option of the browser which is also used by the developers while fixing the errors in their client-side code. So let's get started.

Browser's Developer Tool: Browser's developer tool provides a lot of functionalities to the developers like seeing and modifying the complete client-side code (HTML, CSS, JS), cookies, console view, all the triggered URLs, etc.



Diagram 1: Dev Tool Chrome


As we can see in the above diagram, there are many tabs available in chrome's Dev tool like element, console, source, network, etc. They all are used for different-different purposes. It can be found on https://developers.google.com/web/tools/chrome-devtools chrome's official website. But we are only going to use the source tab of Dev tool.

Diagram 2: Source tab of Chrome Dev Tool

The source tab contains the complete client-side code. If there is encryption in the client-side itself then it will be in the JS files. So here we will analyze those JS files which are responsible for the encryption.
Some of the key subtabs of the source tab are given below:

(1) Breakpoint: This tab basically put a hold in the JS code.
(2) Call Stack: It will show the data.

Reproduction: Now, since we have acquired the complete knowledge to understand the method so let's start it.

Step 1: As we can see in the below form, we have to fill some of the details to submit it.

Diagram 3: Basic HTML Form


Step 2: Now, Click on submit and intercept the request in client-side proxy tools like Burp or Zap. It is a POST request where the body of the request contains only one parameter called data and everything is encrypted as the value of the data parameter.

Diagram 4: Encrypted HTTP POST Request


Step 3: Open up your Chrome browser. Now press the F12 key on your keyboard and click on the source and navigate to the JS file (in the left side files' dropdown) which is being used to perform this client-side encryption. In my case, it’s CT_encryption.js



Diagram 5: Using Dev tool of Chrome

Step 4: Now we need to set the breakpoints so that we can see the code before the encryption function runs. It is the most important part as we need to analyze the complete JS file and find the function where the encryption is being taken place.

Trick: I press CTRL+F and search for encrypt keywords. Now, analyze each of the encrypt function carefully.

Finally, I was fortunate to find the encryption function so I try to put my breakpoint just before that function so that function will not execute, but I was not able to do that so I put the breakpoint in the encryption function at the start itself before the encryption process starts. I put the breakpoint on line number 2280. To put a breakpoint just click on the line number of the code and it will be in dark blue colour as shown in the screenshot below.


Diagram 6: Putting breakpoint to hold the execution

Step 5: Now fill the form again, which is shown in step 1, and press F12 and navigate to the source. Now, submit the form. On the right side of the screen, you will find all the breakpoints.


Diagram 7: Showing Breakpoints


Step 6: Now click on the call back tab and inside it, there will be local subtab. Where all the data before the encryption, will be there. I am here directly showing the decrypted data below:

-------------------------------------------------------------------------------------------------------------------------------------------------
plain Text: " PAG E _ C OD E _ TYPE = A B _ T O D & T O D _ M O D E L _ DATA = % 7 B % 2 2 T O D _ A M T % 2 2 % 3 A
%22100.00%22%2C%22todFormattedAmt%22%3A%22130.00%22%2C%22TOD_TENOR%22%3A%225%22%2C%22TOD_PURPOSE%22%3A%222413%22%2C%22TOD_MOhttps://developers.google.com/web/tools/chrome-devtoolsDE%22%3A%22pentest%22%7D&encrypted=true"
-------------------------------------------------------------------------------------------------------------------------------------------------

Note. The above data is URL encoded. Just decode it by Burp decode option and it will be like below:

-------------------------------------------------------------------------------------------------------------------------------------------------
p l a i n Te x t :
"PAGE_CODE_TYPE=AB_TOD&TOD_MODEL_DATA{"TOD_AMT":"130.00","todFormattedAmt":"130.00","TOD_TENOR":"5","TOD_PURPOSE":"2413","TOD_MODE":"pentest"}&encrypted=true"
-------------------------------------------------------------------------------------------------------------------------------------------------

Now from the local tab, one can modify the data and even can perform the injection. The main idea of the method is to put breakpoints before the encryption function in order to hold the execution of the program so that first we can inject our payload in unencrypted data and then it will be passed to the encryption function. Since the server will accept only encrypted data so it necessary to pass the data to the encryption function as well.

Conclusion:
Since now we can see all the traffic with parameters, we can inject our payload for our tradition web attacks like sqli, XSS and many more. Bypassing the encryption is very important if we really want to look into it in order to inject our payloads.

Reference:
https://developers.google.com/web/tools/chrome-devtools

Post a comment

0 Comments