I'm needing to pull reports from Amazon's Seller Central portal for multiple clients of ours on a weekly basis via a python script. I try to avoid webdrivers due to their inconsistent, error-prone nature across different OSes (from experience). Therefore, I figured it would be a fun little project (and maybe, ultimately, exercise in futility) to try reverse-engineering the login process for sellercentral.amazon.com. The process isn't difficult, save for two fields in the initial login form: password
and metadata1
. The password
field is discussed in detail below. The metadata1
field seems to employ a similar technique, while introducing the additional hurdle of changing every few seconds. When i monitored the metadata1
value it appeared to be generated using a large json object of the various browser metrics. But, one thing at a time, so I'll focus on the password encryption in this post and worry about metadata1
in a future post.
Upon form submission the value in the password
field is encrypted using techniques discussed further down in this post. The resulting encrypted value then replaces the value in the the password field and renames the field encryptedPwd
So far, I've been reviewing the javascript files and stepping through the code sequences and have learned the following:
SiegeCrypto.addProfile("AuthenticationPortalSigninNA", {
"password": {dataType: "AuthPortalSigninPasswordNA", requiresTail: false},
});
...
SiegeCrypto.addDataType({
"dataTypeId": "AuthPortalSigninPasswordNA",
"jwkPublicKey": {"kty":"RSA","e":"AQAB","n":"gXXZV1VqZ6k_uQtyJNJy5q-qvKdqrXJNgKUO1aYc1UPBVqlhCP0GPxf-0GSo-LEtArgcbF8-j6_vSLSqztYxxF8og--rB8zAyZ8DXZaugX-UiJDQnoJL_HtXKuwIm9U7oEPoeD6H4ZDcfbsPj77xVn7UA2-a90N4aZqMC8EIfXIy1tqSbSPnxPOaiEmy8xGtG-L3RdCyc7TL0Swd_f0_DjRT6ip91IBlCmquoa-xJgZ9e44PVH4AwdyssiV4ZLEZ5yFcE0zcRb_62kx_TQptidbJ4nHocFVjmUW9YsrAWeKrBmOGZEjO4vbATYs1Yf4vgcH7Ix61EPR5sbDP4SlBWQ"},
"providerId": "si:md5",
"keyId": "56d14edce8e2cb6c6842c59ddaee426e"
});
Stepping through the code I was able to find more specifics of the algorithm
*profile* (used by SiegeCrypto)
- password: {dataType: "AuthPortalSigninPasswordNA", requiresTail: false}
*publicKeyProvider* (added as a DataType to SiegeCrypto)
- keyId: 56d14edce8e2cb6c6842c59ddaee426e
- providerId: si:md5
*wrapKey*
- wrappingAlgorithm
- name: RSA-OAEP
- hash: SHA-256
- modulusLength: 2048
- publicExponent: [1, 0, 1]
*Additional Fields*
name: aes_128_gcm_iv12_tag16
encryption: AES-GCM
ivLength: 12
keyLength: 128
tagLength: 128
Later in the process I was able to find the following, which I'm assuming is the parameters amidst being processed according to the encryptions specifications above, but i have no idea how to get to that point
cipherMessage: Uint8Array(413) [1, 128, 0, 20, 124, 132, 165, 153, 149, 96, 94, 4, 210, ...]
messageHeader:
- algorithmId: 20
- contentType: 2
- encryptedDataKeys: [{"keyInfo": "56d14edce8e2cb6c6842c59ddaee426e"}]
- encryptionContext: {}
- frameLength: 12
- headerIvLength: 12
- messageId: Uint8Array(16) [124, 132, 165, 153, 149, 96, ...]
- type: 128
- version: 1
Looking over Amazon's AWS Encryption SDK (Python Repo) I've found the following three pieces that seem to be what I need. However, I'm not sure where to go from here.
# algorithm, mode, data_key_length, iv_length, auth_length, auth_key_length=0
EncryptionSuite.AES_128_GCM_IV12_TAG16 = (algorithms.AES, modes.GCM, 16, 12, 16)
# algorithm_id, encryption, message_format_version
AlgorithmSuite.AES_128_GCM_IV12_TAG16 = (0x0014, EncryptionSuite.AES_128_GCM_IV12_TAG16, 0x01)
# encryption_type, algorithm, padding_type, padding_algorithm, padding_mgf
WrappingAlgorithm.RSA_OAEP_SHA256_MGF1 = (EncryptionType.ASYMMETRIC, rsa, padding.OAEP, hashes.SHA256, padding.MGF1)
Can someone provide a short python snippet utilizing the above encryption techniques along with an explanation, so I can see how the encryptedPwd
field value is generated? Here's a dummy password to demonstrate with: Blamazon123
Two example values of the above dummy password as encryptedPwd
(I've added spaces where I saw consistences):
AYAAF P/a2u8yLSNjLWzPRIi0Bac AAAABAAZzaTptZDUAIDU2ZDE0ZWRjZThlMmNiNmM2ODQyYzU5ZGRhZWU0MjZlAQ Brthm+db6k/Oo832X/5U+JtXcBrVnCetjOnvcypG5ZZ6xZr0rXDDMctQevThwGjGYqOOQTy6tFALgMHnjWC2bcBBtyKMhUflpCjGTRodjE7btdqrgExEr07k1ErejaQ1vAW8hQSedfsQR3gyWxJcKKlQ91B4CYO5UMMJzevQyln0SASh5MLW6xOHMnjwdHI8aKFw2ErcvIFg5OpqCDSIyPjifvxkSTue7gJ3fB0ACda04EA5wxmkRteCF753kVGYNBD0h9eOHCPcCm/Y7bWoJAelvqu/U/LxAPkl216deDko4oxjVqLeRy/IExbx6cdEDT7zu0U7HROhvstu8TZE1f AgAAAAAMAAAADAAAAAAAAAAAAAAAA O0Gt/txLoiiXlGQcb5dyFn///// AAAAAQAAAAAAAAAAAAAAAQAAAAv LEJ4zlnbivrzliBrcFGIsPBU3srfmTu91dw4=
AYAAF L1E3ydr57mIKpAQtOrAPsE AAAABAAZzaTptZDUAIDU2ZDE0ZWRjZThlMmNiNmM2ODQyYzU5ZGRhZWU0MjZlAQ AUJX+8tRKZESh1o09BLe6Qj13iuyP5Kb2IC/ipA1mRlWIQtIYApU8792+f5U2x8wv7rTVHcKM8wnFXP2I78PCbo4kXwV5Q6JE99bV4BP+5YnzB1YI6XUgrZ2ubm1wcSV3W1K3OhMogcXIbWjeEjKj2WmpVgSgCXKS6+Z6GxMnE+hArZlNIATYojL7IlLPR5kiGzN4pq86gLzGbfcG2at1MNQ5DdrJtktixLJPU1oFwCtT4AFfy6kiGfoepN+VE0AK0ysMyX3FY7QaI9qLtuA20zQX52NbLzG/qSENYohHzgvOOVzCIr4uwyJ3uXSA0kKXEJ4IbWmQ+k30cotoWRSJW AgAAAAAMAAAADAAAAAAAAAAAAAAAA NUNRLibdfG4P1ac0dL8Ka////// AAAAAQAAAAAAAAAAAAAAAQAAAAv 4vyjW2MLIuuBm8D1c41v5ZwEQFk8k/p4GOss=
The javascript file largely responsible for generating the metadata1
field can be found here. I've decrypted the functions that I saw were part of the metadata1
generation process. They start on the following lines:
encryptedPwd
) adds the encryption eventlistener to the form submit actionmetadata1
process)metadata1
values are returned (from line 332)metadata1
contents before it's encryptedPublic key encryption is fast becoming the most widely used type of encryption because there are no issues to deal with concerning distribution of keys.
The two main kinds of encryption are symmetric encryption and asymmetric encryption. Asymmetric encryption is also known as public key encryption. In symmetric encryption, there is only one key, and all communicating parties use the same (secret) key for both encryption and decryption.
The three major encryption types are DES, AES, and RSA.
The Advanced Encryption Standard ( AES ), for example, offers the possibility to select key lengths of either 128, 192, or 256 bits. The key length of this method is accordingly large, as a result. Even with 128-bit encryption, 2 128 conditions can be mapped. These correspond to more than 240 sextillion possible key combinations.
Modern encryption methods, on the other hand, use keys which can provide significantly more defense. The Advanced Encryption Standard ( AES ), for example, offers the possibility to select key lengths of either 128, 192, or 256 bits. The key length of this method is accordingly large, as a result.
An encryption can therefore be described as a method by which plaintext and a key are passed through a cryptographic algorithm, and a secret text is produced. Modern cipher methods use digital keys in the form of bit sequences. An essential criteria for the security of the encryption is the key length in bits.
The GetEncryptionMethod method of the Win32_EncryptableVolume class indicates the encryption algorithm and key size used on the volume. An unsigned integer that specifies the encryption algorithm and key size used on the volume. The volume is not encrypted.
The metadata1
is encrypted in XXTEA. I‘ve wrote a Python script to decode and encode the metadata1
. This can be found here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With