惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

爱范儿
爱范儿
P
Palo Alto Networks Blog
月光博客
月光博客
H
Hackread – Cybersecurity News, Data Breaches, AI and More
I
InfoQ
aimingoo的专栏
aimingoo的专栏
腾讯CDC
T
Threatpost
D
DataBreaches.Net
Vercel News
Vercel News
F
Fortinet All Blogs
Engineering at Meta
Engineering at Meta
C
Cybersecurity and Infrastructure Security Agency CISA
Forbes - Security
Forbes - Security
U
Unit 42
C
Check Point Blog
Blog — PlanetScale
Blog — PlanetScale
O
OpenAI News
量子位
TaoSecurity Blog
TaoSecurity Blog
Microsoft Azure Blog
Microsoft Azure Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
V
Visual Studio Blog
Recorded Future
Recorded Future
云风的 BLOG
云风的 BLOG
Security Archives - TechRepublic
Security Archives - TechRepublic
The Last Watchdog
The Last Watchdog
S
Security Affairs
Attack and Defense Labs
Attack and Defense Labs
罗磊的独立博客
Stack Overflow Blog
Stack Overflow Blog
Microsoft Security Blog
Microsoft Security Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
V2EX
小众软件
小众软件
S
SegmentFault 最新的问题
www.infosecurity-magazine.com
www.infosecurity-magazine.com
W
WeLiveSecurity
AI
AI
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 聂微东
I
Intezer
Know Your Adversary
Know Your Adversary
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Cloudflare Blog
博客园_首页
NISL@THU
NISL@THU
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Homepage on Aditya Telange

One Year with evil-winrm-py - A Retrospective Bypassing LinkedIn's Connection Privacy with a Simple Search Filter Making Dynamic Instrumentation Accessible with Frida UI HackTheBox (HTB) - Escape HackTheBox (HTB) - Resolute HackTheBox (HTB) - Certified State of VMWare Workstation (Pro?) on Linux Android App Security Testing Lab with MobSleuth Android phone as a Webcam on Linux Breaking down Reverse shell commands HackTheBox (HTB) - Photobomb Merging AOSP Security Patches into Custom ROMs Primer on HTTP Security Headers Image Zoom-In effect with HUGO HackTheBox (HTB) - Legacy HackTheBox (HTB) - Lame Cryptohack - Keyed Permutations [5 pts] Cryptohack - Resisting Bruteforce [10 pts] Cryptohack - RSA Starter 1 [10 pts] Cryptohack - Base64 [10 pts] Cryptohack - Bytes and Big Integers [10 pts] Cryptohack - Hex [5 pts] Cryptohack- XOR Starter [10 pts] HackTheBox (HTB) - Horizontall HackTheBox (HTB) - Forge HackTheBox (HTB) - Previse HackTheBox (HTB) - BountyHunter HackTheBox (HTB) - Explore HackTheBox (HTB) - Cap HackTheBox (HTB) - Pit HackTheBox (HTB) - Knife HackTheBox (HTB) - Love HackTheBox (HTB) - Tenet HackTheBox (HTB) - Ready Watermarking images with HUGO My Github Project went viral! Cryptohack - ASCII [5 pts] Cryptohack - Finding Flags [2 pts] Cryptohack - Great Snakes [3 pts] Cryptohack - JWT Sessions [10 pts] Cryptohack - Network Attacks [5 pts] Cryptohack - Token Appreciation [5 pts] CAF's Android for MSM Basic Website Analytics with Vercel Github Actions as Temporary File Sharing Platform Addition of prebuilt APK - AOSP Rom Development External Link With target='_blank' in Hugo Markdown Setting Up Build Environment - AOSP Rom Development Getting Started - AOSP Rom Development Using Secure HTTP Headers with Vercel/Zeit Education and Certifications Link Tree ↟ | Aditya Telange Personal Projects Resume - Aditya Telange Security Acknowledgements About Me Graph View License Privacy Policy
Breaking Payload Encryption in Web Applications
[Aditya Telange](https://x.com/adityatelange) · 2025-09-28 · via Homepage on Aditya Telange

In critical web apps (such as banking, finance, healthcare), payload encryption is often implemented to protect sensitive data during transmission.

Most developers and product owners assume that encryption is secure and tend to apply it as a final foolproof fix to prevent tampering of data. Although encryption does add a layer of security, it is not always effective if not implemented correctly. This blog post explores common techniques used to break payload encryption in web applications.

Understanding Payload Encryption

Payload encryption is a method used to secure data by converting it into an unreadable format using cryptographic algorithms.

This is done to protect sensitive information from being intercepted and understood by unauthorized parties during transmission over networks. Most commonly, payload encryption is implemented on the client side (e.g., in JavaScript for web apps or in mobile apps) before sending data to the server and on the server side before sending data back to the client.

Payload encryption is over and above the standard transport layer encryption provided by HTTPS (TLS). So, tools like Burp Suite or OWASP ZAP will not be able to decrypt/encrypt the payloads automatically.

Types of Payload Encryption

  1. Symmetric Encryption (Commonly used, easier to implement)
    • The same key is used for both encryption and decryption.
    • Common algorithms: AES, DES, 3DES.
  2. Asymmetric Encryption (Rarer in payload encryption, more complex and resource-intensive)
    • Uses a pair of keys: a public key for encryption and a private key for decryption.
    • Common algorithms: RSA, ECC.

Is payload encryption effective?

  • While payload encryption adds a layer of security, it is not foolproof.
  • Encrypting payloads is more of a deterrent than a complete security solution. This is security through obscurity.
  • If the encryption implementation is weak or if the encryption keys are poorly managed, attackers may find ways to break the encryption and access the sensitive data.

Common Techniques to Break Payload Encryption

  1. Find how the encryption is implemented
    • Observe the request and response carefully using a proxy tool like Burp Suite or OWASP ZAP.
    • Look for clues in the client-side code (JavaScript, mobile app code) that may reveal how the encryption is implemented.
  2. Identify the encryption algorithm
    • Look for functions or libraries used for encryption (e.g., CryptoJS, WebCrypto API).
    • Look for modes of operation like CBC, GCM, ECB, etc.
    • Look for padding schemes like PKCS7, NoPadding, etc.
  3. Find the encryption key, iv or secret used for encryption/decryption
    • Look for hardcoded keys or secrets in the code.
    • Look for any dynamic generation of keys, ivs or secrets in the code.
    • Look for any usage of cookies, local storage, session storage, etc. which may contain keys, ivs or secrets.
  4. Use DevTools to debug and trace the code execution
    • Use browser DevTools to set breakpoints and step through the code to understand how encryption/decryption is performed.
    • Look for any functions that are called before sending the request or after receiving the response.
  5. Replicate the encryption/decryption process
    • Use the identified algorithm, key, iv or secret to replicate the encryption/decryption process.
    • Use #specific tools or write custom scripts to encrypt/decrypt the payloads.
  6. If the request is encrypted, certainly the payload is encrypted in client side and hence we can find the encryption code and the key, iv or secret used for encryption.
  7. If the response is encrypted and we see the data in plaintext in the client side, certainly the payload is decrypted in client side and hence we can find the decryption code and the key, iv or secret used for decryption.

What to Look For in Client Side Code

  • Analyse request and response carefully using a proxy tool like Burp Suite or OWASP ZAP.
  • Look for keywords like encrypt, decrypt, crypto, key, iv, secret in the code.
  • Look for libraries like CryptoJS, JSEncrypt, WebCrypto API, etc.
  • Look for modes of operation like CBC, GCM, ECB, etc.
  • Look for padding schemes like PKCS7, NoPadding, etc.
  • Look of variables which post body contains the payload. example:
    {
      "enc_data": "<encrypted_payload_here>"
    }
    
  • Look for functions which are called before sending request or after receiving response.
  • Look for any hardcoded keys, ivs or secrets in the code.
  • Look for any dynamic generation of keys, ivs or secrets in the code.
  • Look for any usage of cookies, local storage, session storage, etc. which may contain keys, ivs or secrets.

Potential Vulnerabilities to Exploit after Breaking Encryption

  • Unlocked functionality by tampering response data.
  • Bypassing client side validations.
  • IDORs and other access control issues.
  • Extrenous data exposure.
  • Business logic flaws.

Edge Cases (Tricky Implementations)

Developers are tricksy and may use a out of the box methods to encrypt/decrypt data. I’ve seen cases where developers use weird methods. All these edge cases can be found by carefully analysing the request/response and client side code.

Example 1:

  • Encryption key is send back in response of OPTIONS request or used from Response of previous request.
  • This key is then used to encrypt/decrypt data in next request and a new key is presented in response of next request.

Example 2:

  • For each request a new key/iv pair is generated using some logic and these values are sent in Request headers. So, for each request the key/iv will be different.

Example 3:

  • Application uses a cookie for authentication but sends key/iv in Authorization header.

Example 4:

  • Application sends some other data in request/response which is used to generate key/iv pair.
  • In one case, I found that the application was sending a Correlation ID in request which was used to generate the key for encryption.