QTP Hackers - How to decrypt encrypted (SetSecure'd) password

QTP Hackers - How to decrypt encrypted (SetSecure'd) password

I will explain you how to decode an encoded password in QTP.
Using QuickTest Professional and this approach, you can hack email accounts published on Internet. Are you interested? :) So, continue reading this QTP tutorial for details.

I've just recorded a simple script, which signs into Gmail. It:
  1. Fills 'Username' in
  2. Fills 'Password' in
  3. Clicks 'Sign in' button
Gmail screen
And the recorded QTP script is:
Browser("Gmail").Page("Gmail").WebEdit("Email").Set "someaccount"
Browser("Gmail").Page("Gmail").WebEdit("Passwd").SetSecure "493844a99bee0e3ab952f2e867fd08e3"
Browser("Gmail").Page("Gmail").WebButton("Sign in").Click

As you can see, QTP script is simple enough.
I've set "someaccount" to 'Username' editbox. But what about 'Password' editbox? What value have I filled in?


QTP encrypted the password using SetSecure method:
WebEdit("Passwd").SetSecure "493844a99bee0e3ab952f2e867fd08e3"
QTP Help:
The SetSecure method is recorded when a password or other secure text is entered.
The text is encrypted while recording and decrypted during the test run.


How to know the initial text?

There is one trick. Apply SetSecure method to non-secured edit box!
Instead of this QTP code:
Browser("Gmail").Page("Gmail").WebEdit("Email").Set "someaccount"
Browser("Gmail").Page("Gmail").WebEdit("Passwd").SetSecure "493844a99bee0e3ab952f2e867fd08e3"
I run this QTP script:
Browser("Gmail").Page("Gmail").WebEdit("Email").SetSecure "493844a99bee0e3ab952f2e867fd08e3"
And the result of this QTP script is:
Revealed PasswordYes, "mypwd" was encrypted to "493844a99bee0e3ab952f2e867fd08e3". So, "mypwd" is the password I filled!
So, this is an easy way to decrypt an encrypted password in QTP.


By the way, there are two ways how to decrypt a password in QuickTest Professional:
  1. Using Crypt.Encrypt
    str = "Some Text"
    encrStr = Crypt.Encrypt(str)

    'encrStr' will contain an encrypted text.

  2. Using Password Encoder from 'Start/Programs/QuickTest Professional/Tools'
    QTP Password Encoder
Summary:
  • I explained two ways how to crypt a text in QTP
  • I shown an approach how to decrypt an encrypted text


Well, I promised to show how to hack email addresses... I remember!

I searched several QTP sites and forums for "SetSecure" function and found that some QTP engineers published their code snippets with encrypted passwords (for example, entrance into email accounts) :)

Now you know how to "read" (=steal) passwords in plain text.

Why do I tell that?
Just to remind - be careful when you publish such private info on Internet.

--
Dmitry Motevich



Related articles:


Do you like this QTP tutorial? Would you like to receive them automatically in the future?
If yes, please subscribe to this blog RSS feed or by Email. (How to subscribe? VIDEO guide)




Do you know that you are free to use/copy/publish all my materials on your site/blog?


7 comments:

Tarik Sheth said...

Very good explaination on encrypting and decrypting the texts.

Anonymous said...

Interesting!!

QTPExpert
quicktesthp(blogspot)

deny said...

thanks for the tips
easy to implement...

Thirupathi said...

Excellent your explanations

Anonymous said...

Hi,

Very nice presentation...

Is there any other way to capture a full webpage image in QTP?

Regards,
Suresh Kumar K

mary said...

thanks for your support.
It is very easy to practise.

tushar said...

we should actually never pass secure password. the reason for this is that we can directly use the script for login and do any mess there. no need to take pain to decrypt.