Server-side security war games: Part 8

Level 8 shows us another “Input secret” form. Let’s examine the source again. This time, there is an “encoded” secret. Let’s try to reverse engineer this. They’re using bin2hex, strrev, and base64_encode – those are all trivially reversible.

To reverse the encoding of $encodedSecret, we just have to do:

$ php -a
Interactive shell

php > function decodeSecret($str) { return base64_decode(strrev(hex2bin($str))); }
php > $encodedSecret = "3d3d516343746d4d6d6c315669563362";
php > echo decodeSecret($encodedSecret) . "\n";
...

Now we can use that code as the secret in the form to obtain the next password.

Lessons learned

Obfuscating or scrambling data won’t keep it secure from attackers who are smart enough to reverse the process. You’ll need to use some kind of one-way function instead of reversible processes like they used in this level.