0

I was making requests to an api when at the moment they updated the platform and changed the way of sending the body of the requests since they are encrypted. Example of what is sent now.

eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.bhPQqL8rheiAAv-c9m1wMrisHyJWwDgo5BftGHJ5xHuoG50VdZCxX7rF_nTgB10BLcKz4EGzxGA-0RfZqaNPaYou7h4dvMgX1MxuyRQJBay4ls1rrDDYHC0RElEgLwZrdgQNwJru3WBs-D33nhwV2eAgO3l4r_sUctmPxh79yeKkCPFSCUWpJH3zqDSOXhlJIK2ZJCzG0BX8C1ZUGiFn_woIO_tNrO7NI2WAQVwd5jO9RWBufn_xORyR3sdwScfAJn-0rqq83d7ub8K_dB7nVSvMEbtmacPBy2-vscC7WVHob5uYHyH9tYBWbgttxNOtjdT4tj5pURImXBh8FnpA2w.FEc_FBP4swn-Ux6L.B9uY4iFVSL498r3BFhgOk2Nhx-15VJAsEXP4VnbfYb-U13fOj-o47YY2vBa1HXItWksweed7O8Wkt9bH9kZG75llZgQT0WJJBIGHLQLObDyEmtPBDkUgsk8gLYtDvE5qHKoy1iLIQd78FMcxwN4M36Rv71pqmt62IugtLhHTMi70YiKPHN39hB-WNDSIlmO8tCu1m6FpDkkw4Qg8OOBRkABqi8sY0wxzW9B8orUahoUMOGwrGaY.dYMp4LA0CFpJg69lhXZkYw

Example of what was sent before

[{"operationName": "UserReservations","variables": {},"query": "query UserReservations {\n  userReservation {\n    variantId\n    quantity\n    id\n    user\n    __typename\n  }\n}\n"}]

Looking for information I realized that you have to get the public key of the website that contains the necessary information for the encryption of the body of the request, could you help me with some documentation or on what I can base myself to be able to correctly encrypt the body of the request

jps
  • 20,041
  • 15
  • 75
  • 79
Ernesto Enrique Sanchez
  • 105
  • 1
  • 1
  • 4
  • Surely the API vendor must have documentation. – Richard Heap Mar 30 '23 at 20:20
  • 2
    *what is sent now `eyJhbGciOiJSU0EtT0FF...`* - that's a JWE (JSON Web Encryption), the encrypted form of JWT (JSON Web Token) – jps Mar 30 '23 at 20:28
  • Well, it looks like 3 values separated by the dots, encoded using base64url. You'd probably have the RSA-encrypted AES key, then the AES-GCM ciphertext, then the GCM authentication tag. Not sure how the IV is handled. Maybe what I see as the final tag is the IV, but that doesn't seem to fit; usually it is 12 bytes for GCM. – Maarten Bodewes Mar 30 '23 at 20:37
  • It does seem to match a JWE compact serialization with lengths 38, 256, 12, 182, 16, so once you know what the headers and plaintext need to be, use the jose library to create, encrypt and generate the JWE. – Richard Heap Mar 30 '23 at 20:54

0 Answers0