0

I am thinking of taking up ethical hacking as a hobby. So, I installed Burp Suite Community Edition and set it up with Firefox. I opened Instagram and tried to login with these details (just for testing):

Username: admin

Password: 123456

However, when I intercepted the request in Burp, although the username was still admin , the password had been encrypted to something else. How can I find the 'formula' Firefox used for converting 123456 to that string?

Community
  • 1
Fitz Watson
  • 101
  • 3

1 Answers1

2

Passwords are not encrypted inside a POST request.

If any encryption is done it is either at the transport layer (i.e. HTTPS instead of HTTP) and/or there is some application specific client side encryption done. In your case it seems to be the latter and you have to look at the applications code (i.e. the Javascript executed by the client) on how exactly this is done with this specific application.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Could you please tell how to find the function being executed. I tried looking at the events executed when "submit" button is clicked, but that didn't help – Fitz Watson Jun 05 '20 at 07:29
  • @FitzWatson: Analyzing the source code of third party applications to find out exactly how these work would be too broad and is also usually considered off-topic on this site, i.e. we usually don't do reverse engineering here. Try [reverseengineering.se] instead for help but don't expect that someone will simply do this for you. – Steffen Ullrich Jun 05 '20 at 08:28
  • I don't want to reverse engineer it. Just want to locate the formula like Firefox does. Like, I just want to be able to provide 123456 and get the string, not reverse of it. – Fitz Watson Jun 05 '20 at 08:59
  • 1
    @FitzWatson That is exactly what "reverse engineering" means. You'll have to do some wetwork, learn how to use the JS debugger in your browser, and see what happens between clicking submit and the request being sent. –  Jun 05 '20 at 09:23
  • Oh ok. Is there a way to move this question to Reverse Engineering Stack Exchange? – Fitz Watson Jun 05 '20 at 11:49
  • @FitzWatson it sounds like it will be a new question – multithr3at3d Jun 05 '20 at 17:01