You may find part I of this article here
Lets look at example which use random parameters for encryption.
Step 1: Verify implementation of encryption in request
Application is sending cipherUN (cipher text), IV and Salt.
IV and Salt are generated randomly for each request.
Step 2: Identify encryption algorithm and implemented JavaScript utility
This application is using CryptoJS utility, hardcoded passphrase (secret key) but randomly generated IV and Salt.
Step 3: Decrypt sensitive data
I am using Google chrome developer tool and CryptoJS library to decrypt cipher text.
I have initiated all variable in console which I got from request and webpage. Using aesUtil.decrypt function clear text data is retrieved.
This technique can be use to retrieve sensitive data from cipher text
Conclusion:
Sensitive data can be retrieved using CryptoJS utility, Key, IV and Salt
Recommendation:
Developers are recommended to use asymmetric algorithm like RSA to encrypt sensitive data.
Store secret key safely on server and use public key to encrypt sensitive data
