Is there a salt function available?
Usually salting a hash simply means adding the salt at the beginning or at the end of the password and then calculating the hash, like this
hash(salt + password)
so using interpolation, use Hash String block and pass
<SALT><PASSWORD>
Done!
The salt is only generated during login and it’s always different each request.
I opened a Hast String block and placed this:
<SALT><input.PASSWORD>
Then I get this error:
[IDLE] (3,35): error CS0103: The name 'SALT' does not exist in the current context
Well yes you need to parse the salt obviously if it’s generated client-side and not sent by the server (which I find REALLY weird) then you can use a random string block, but I’m almost positive the server is sending it.
{"email":"<input.USERNAME>","password":"<input.PASSWORD>","rememberMe":true,"s":"d6c820e8c75a1d47101ad0c48e994"}
If I do an initial GET request to the site, I can’t find the salt anywhere.
And when I tried making a POST request to hopefully parse the salt from the response, it gives me invalid results.
Okay then maybe it really is auto generated by the client. In this case, use the Random String block and as many ?h
as there are characters in the salt to generate a random hex string.
{
"msg" : "The salt is invalid",
"reason" : "saltInvalid",
"status" : 401
}
Since the salt was 29 characters, I did this in Random String:
?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h?h
I’m really quite sure it’s the server passing the salt, in 99% of cases it’s the server passing it to the client. Please make sure to sniff any request and/or the javascript code, maybe a generated salt needs to have some conditions and cannot be completely random.