Using Microsoft DPAPI with Coldfusion

Question

I'm in the process of decrypting Chrome's cookie information for a particular website. I can read the data from the file using the SQLLite DB object successfully. The next step is to decrypt the encrypted data.

I've managed to find two Java executables JDPAPI & windpapi4j allowing me to use the Microsoft Data Protection API (MS DPAPI) in Java. I've loaded both the JAR files in the lib folder and can see their methods as shown below.

I'm trying to pass the encrypted_value of the cookie to the unprotectData and unprotect methods of the Java objects but getting the following error for both of them.

Code:

<cfset a_sqlite = createObject( 'java', 'org.sqlite.JDBC' )>
<cfset WinDPAPI = createObject('java','com.github.windpapi4j.WinDPAPI') />
<cfset jdpapi = createObject('java','net.sourceforge.jdpapi.DataProtector') />

<cfdump var="#WinDPAPI#" label="WinDPAPI">
<cfdump var="#jdpapi#" label="jdpapi">

<!--- <cfdump var="#a_sqlite#"> --->

<cfset a_prop = createObject( 'java', 'java.util.Properties' )>
<cfset db_filename = 'C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\cookies'>

<cfset a_conn = a_sqlite.connect( 'jdbc:sqlite:' & db_filename, a_prop.init() )>

<!--- <cfdump var="#a_conn#"> --->

<cfset a_statement = a_conn.createStatement()>

<cfset a_res = a_statement.executeQuery("select * from cookies where host_key like '%ggas%';")>

<!--- <cfdump var="#a_res#"> --->


<cfloop condition="#a_res.next()#" >
    <cfoutput>#a_res.getString("host_key")# = #a_res.getString("name")#</cfoutput><br>
    <!--- <cfset encrypted_string = "#a_res.getString("encrypted_value")#"> --->
    
    <cfdump var="#WinDPAPI.unprotectData(a_res.getString("encrypted_value"))#">
    <cfdump var="#jdpapi.unprotect(toBinary(toBase64(a_res.getString("encrypted_value"))))#">
    <!--- <cffile action="write" file="#expandPath(".")#\output.txt" output="#jdpapi.unprotect(toBinary(toBase64(a_res.getString("encrypted_value"))))#" addnewline="true"> --->
</cfloop>

I believe its something to do with the byte[] input type but not sure how to go about it. Any pointers would be helpful.

Have you tried calling the java `getBytes()` method on your string, and passing the result of that in, eg `jdpapi.unprotect(a_res.getString("encrypted_value").getBytes())` — Sev Roberts, Jul 07 '20 at 20:57
@SevRoberts : Tried `getBytes()` and `getBytes('UTF-8')`. Getting `Object Instantiation Exception` now. `An exception occurred while instantiating a Java object. The class must not be an interface or an abstract class. If the class has a constructor that accepts an argument, you must call the constructor explicitly using the init(args) method. Error : com.github.windpapi4j.WinDPAPI` — Gaurav S, Jul 07 '20 at 23:18
So that's your CF vs Java vs CF byte array issue sorted at least. Now based upon the new error and the earlier object dump, you need to change your code to instantiate using `WinDPAPI.newInstance(...)` - however I'm not familiar with that library so don't know what the value of the CryptProtectFlag argument should be. At what point in your code is it throwing the error? And if it gets as far as the cfloop, does the exception occur on the first iteration of the loop, or does the first iteration succeed? — Sev Roberts, Jul 08 '20 at 00:24
The class doesn't have a public constructor, hence the error. Like Sev suggested, use `newInstance(...)`. instead. Try the hello world example from the project home page first. Don't forget to create a com.github.windpapi4j.WinDPAPI.CryptProtectFlag reference before using `CryptProtectFlag.CRYPTPROTECT_UI_FORBIDDEN` — SOS, Jul 09 '20 at 07:46
Looks like Chrome ver.80 and above have changed their encryption algorithm hence these executables won't work. Previously they were using only `Windows DPAPI` and now they have added an extra layer of security with `AES-256-GCM algorithm` — Gaurav S, Jul 09 '20 at 12:25

Using Microsoft DPAPI with Coldfusion

0 Answers0