Custom Search

Decrypt an Encrypted Password

It is well known that recording a login sequence results in code similar to this:

Where QTP uses the SetSecure method for the Password field and records the encrypted string that represents our raw input password. One frequent question asked in forums is how is it possible to decrypt such a string. QTP's Crypt object cannot help us here, as the only method known to us is Encrypt.

A well known solution is by using the SetSecure method on a WebEdit of type text with the encrypted string as value. As a result, we should be able to view the decrypted password as the value of the WebEdit. This solution works, but does not fit for automation. I will suggest here a simple method to Decrypt an Encrypted string (usually a password) automatically.

First, we need to define a WebEdit on our local machine:

For the sake of the demonstration, let us assume that we save this html file in: C:\Decryptor\Decryptor.html.

Second, we will define our Decrypt method. Recall that using SetSecure with a regular (non-password type) WebEdit reveals the original (decrypted) text. Here it goes:

Actually the idea is very simple. We launch an invisible Browser and navigate to our local page that includes a regular WebEdit (tag input, type text). Then, we get a reference to this WebEdit using Descriptive Programming (DP) and call its SetSecure method, passing our encrypted string. Immediately after that, we assign our function the new value of the WebEdit so that it is returned. Finally, we clean up by closing the browser and setting the variables to nothing.

Here is an example of a call to our Decrypt method using the encrypted string of "mypassword":

Enjoy decrypting… automatically!

Important Notes:

  1. The Crypt.Encrypt method gives the same result as a password type WebEdit SetSecure method.
  2. The suggested method is not meant to encourage hacking applications. Keep in mind that passwords are confidential and should not be compromised.
  3. The suggested method exposes what may be considered a security breach. Perhaps HP should consider filtering or blocking the SetSecure method for non-password WebEdit objects

No comments: