search

Weak Encryption

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Weakly Encrypted Password Reset Token

1

Access the password reset functionality

GET /forgot-password HTTP/1.1
Host: target.com
2

Submit a password reset request for your own account

POST /forgot-password HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

email=test@target.com
3

Capture the reset link from email

https://target.com/reset?token=MTY5ODc1NjAwMA==
4

Decode the token (Base64 test)

MTY5ODc1NjAwMA==  →  1698756000
5

If token decodes into a timestamp, user ID, or predictable pattern, encryption is weak, Request multiple reset tokens consecutively

6

Compare token values for pattern similarity (incremental values, timestamp correlation, user ID leakage)

7

Attempt to modify the token manually

https://target.com/reset?token=MTY5ODc1NjAwMQ==
8

If modified token is accepted or partially validated, weak encryption / predictable token confirmed

9

Attempt cross-user reset by generating token for your account and adjusting numeric segment to another user ID

10

If token manipulation grants access to another account’s reset page, weak encryption vulnerability is confirmed

hashtag
Sensitive Data Encrypted with Reversible Client-Side Logic

1

Login and intercept response containing encrypted data

GET /api/profile HTTP/1.1
Host: target.com
Authorization: Bearer <token>
2

Observe encrypted field

"ssn":"U0lHTkVEX1NTTl8xMjM0"
3

Inspect application JavaScript files

GET /static/app.js HTTP/1.1
Host: target.com
4

Search for encryption functions, Identify reversible logic such as

function encrypt(data){
  return btoa(data);
}
5

Decode the value manually

U0lHTkVEX1NTTl8xMjM0 → SIGNED_SSN_1234
6

If sensitive data is only Base64 encoded or XOR encoded, not cryptographically encrypted, weak encryption confirmed

7

Modify encoded value and resend request. If application accepts modified encoded sensitive data, encryption control is insufficient

hashtag
Weak TLS Cipher Suite Negotiation

1

Connect to target using a TLS testing tool

2

Force weak cipher negotiation (example with OpenSSL)

openssl s_client -connect target.com:443 -cipher 'DES-CBC3-SHA'
3

If handshake succeeds with 3DES or RC4

Cipher    : DES-CBC3-SHA
4

Weak encryption is supported, Test for export-grade cipher support

openssl s_client -connect target.com:443 -cipher 'EXP'
5

If connection succeeds using export cipher, weak encryption confirmed

6

Verify accepted protocol version

Protocol  : TLSv1.0
7

If TLS 1.0 or weak ciphers are allowed, cryptographic strength is insufficient

8

If handshake succeeds using deprecated cipher suites, weak encryption configuration vulnerability is confirmed

hashtag
White Box

hashtag
Cheat Sheet

PreviousInformation Unencrypted ChannelNextBusiness Logic

Last updated