Is correct these hash?

[epixoip]

Is the json you posted the request or the response? If it's the request, and that is indeed a hash of the password, then the password is being hashed client-side and you simply need to read the javascript to figure out what it's doing. However, it looks like that hash isn't a password hash, but rather the session id.

Anyway, undeath is correct. The biggest threat to http is mitm, so you need to actually mitm the app to demonstrate that threat.