Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
27 Character Digest?
Posted by: Exofusion
Date: November 21, 2007 03:34PM

Hey there, I've got a site with only one cookie, which I believe contains both the user's ID number, and password possibly encoded into a digest of some sort. It is 27 characters long and it is comprised of uppercase and lowercase letters, and numbers. If anyone has any clue on what this could be and how to decode it, that would be helpful, thanks!

Edit: It also contains hyphens (-).

Edited 1 time(s). Last edit at 11/21/2007 04:55PM by Exofusion.

Options: ReplyQuote
Re: 27 Character Digest?
Posted by: thornmaker
Date: November 22, 2007 07:05PM

My first guess would be that it is base64 encoded. If not, you will probably need to provide more information.

Options: ReplyQuote
Re: 27 Character Digest?
Date: November 24, 2007 03:31PM

Regardless, if the password had a hash function applied to it, you'll need to brute force crack it or use one of the many rainbow tables out there on the internet (after figuring what hash was used).

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: 27 Character Digest?
Posted by: mrbene
Date: November 24, 2007 08:12PM

You've always got the easy targets - like the "gmailchat" cookie in mail.google.com. The main reason a site would put a password in a cookie is if they were doing client-side authentication (ie, password verification through JavaScript, or maybe through ActionScript), which is inherently insecure - the client has full control over the environment, and can bypass authentication as needed.

That or they're lazy.

If I were to store authentication client-side, it would be a one-time authentication token with both server- and client-side expiry, that I'd update with every n client-server interactions. If you'd tried to scrape Facebook for data a few months back you would have come across a good implementation like this (which, incidentally is a solid XSRF defense, but doesn't do anything against XSS). I haven't checked recently, and now that certain information is available to search engines, I don't know that this is implemented as ubiquitously.

Options: ReplyQuote
Re: 27 Character Digest?
Posted by: Exofusion
Date: November 26, 2007 03:16PM

Hmm, it doesn't seem to be a simple base64 encode.

The reason I am looking to find out how it is encoded is not to get information from it but reform a hash myself. I have uid and passhashes but the cookie is formulated somehow to contain the uid and passhash into that 27 character hash. I'm pretty stuck on what to do.

Options: ReplyQuote

Sorry, only registered users may post in this forum.