Hi All,
It’s been long time haven’t write any security post but i have come up with security issue on HP ALM Product 11.
While testing HP ALM Product latest version I have found that the password encryption used by the Web Application was weak. I was able to break the Password encryption logic.
What is Encryption ?
In cryptography, encryption is the process of encrypting messages or information in such a way that only authorized parties can read it.
Below is the explanation for it.
Assume, we enter password 111111111111 & 222222222222 and capture the request in BurpSuite.
We can see the encrypted password in the below screenshot (Figure 2 & 3):
Breaking the Encryption Logic
| 1st Char | 2nd Char | 3rd Char | 4th Char | 5th Char | 6th Char | 7th Char | 8th Char | 9th Char | 10th Char | 11th Char | 12th Char | |
| Password is 111111111111 | 132 | 158 | 160 | 157 | 156 | 146 | 136 | 146 | 164 | 121 | 150 | 163 |
| Password is 222222222222 | 133 | 159 | 161 | 158 | 157 | 147 | 137 | 147 | 165 | 122 | 151 | 164 |
| Encryption Key | 131 | 157 | 159 | 156 | 155 | 145 | 135 | 145 | 163 | 120 | 149 | 162 |
After comparing them, we can conclude that the encryption key.
For Example:
- For understanding the algorithm let us take a simple password 1234
- As 1 character of the 1234 is 1 the encrypted value of it is
- 131(Encrypted Key Value for 1stChar) + 1= 132
- Now we will take 2 character of 1234 which is 2 the encrypted value of it
- 157(Encrypted Key Value for 2stChar)+ 2=159
And so on…
| Password | 1 | 2 | 3 | 4 |
| Encryption Key | 131 | 157 | 159 | 156 |
| Encryption Logic | 131+1 | 157+2 | 159+3 | 156+4 |
| Encrypted Value | 132 | 159 | 162 | 160 |
Below is the screenshot for the analysis:
Breaking the Encryption
I have reported this issue to HP as responsible disclosure.
Happy Bounty Hunting
Leave a Reply
Your email is safe with us.