11-06-2017, 01:11 AM
(This post was last modified: 11-06-2017, 01:17 AM by Tasselhoff.)
(11-04-2017, 08:25 AM)knightwolf Wrote: Rats, I was hoping to leverage my GPU to make this easier, haha! Understandable as this case is fairly specific.
The situation often occurs in web development. Specifically - protecting a set of variables which are present as plain-text in the URL field of the browser.
Example URL:
https://mysite.com/purchase/?item=25&price=50.00&hashvalue=56722d7e851770c6661770c8a64a88ee6b864a8f
Normally a user would be able to manipulate the URL variables, but the addition of a hashvalue which is calculated by taking the URL variables and appending a secret-key (which is then SHA1 encrypted) prevents a user from tampering with them. The server-side script runs the same operation to compare if the hashvalue(s) match. If they don't - it means that a variable was changed in the URL so an error message is thrown.
In the above example I used the secret-key: mySecret
So hashvalue = encrypt_with_SHA1(?item=25&price=50.00mySecret)
> 56722d7e851770c6661770c8a64a88ee6b864a8f
As always, the secret-key (mySecret) is unknown to us, that's what I'm trying to find.
I have successfully tested this with a variable string < 256 chars.
If you know what the secret is, couldn't you just create a file with it appended to the string, and use something to work out the hash, such as hashmyfiles?
Oops, just saw that you don't know the secret. You could potentially use something like:
echo -n string | sha1sum | awk '{print toupper($1)}'
and maybe test it against the hash you're after (where "string" is the string plus your generated secret). A quick bash script to cycle through the possibilities could do it if there's only five characters.