Question

How is the change hash computed?

0

Hi there, I com from a traditional development backround and have pivoted into security testing. That means I get to look at many development frameworks from a security angle, when testing applications built with these technologies. That is to say: Help! I have some previous knowledge but now I really need to understand Mendix I am currently trying to understand the underlying HTTP requests since I want to write some automated tests in the future. While I have learned a lot from The Art of State Blogpost, one thing I still have not figured out is how the hash value in a change is computed. Take this for example: "changes": { "11821949021854854": { "MyApp.Customer_Account": { "value": "29554872554625882", "hash": "+dS0te2bpUetwdz9ExQUoynrrROjAQw90jcbe3jbvTg=" }, "System.changedBy": { "value": "281474976719559", "hash": "QLJyP4/rAl4s9keCAGq5VdtO+ufA/aYkc98botVH47A=" }, "createdDate": { "value": 1588579485370, "hash": "aCEOwotHWzIWMkjBGLSNtp3EJegOMZuI3Mi8Y0tmnuI=" }, "System.owner": { "value": "281474976719559", "hash": "V+qS9jtWxiFZEzDoHqVN6xqgiRcgCsGCiC21Jh6R0u0=" }, "Email": { "value": "foo@bar.com" } } From what I gahtered so far hash is: obviously encoded base64 32 Bytes long i.e. 256 Bit so I assume it is SHA256 What I don’t get is: Where is it computed? Over what data? Why does the change to Email not have a hash? Thanks in advance

asked 2020-05-06

John Nemo

1 answers

Rom van Arendonk · Accepted Answer · 2020-05-06

The hash is called the ‘read only hash’. It is there to ensure that the client cannot change a read only attribute. Mendix calculates this hash at the server and sends it to the client. When the client sends data back, the hash has to match with the data. Since the client cannot calculate the hash, it cannot change attributes – or it can change the data, but that change will be rejected by the server, since the hash does not match.

Your email attribute does not have a hash, because you have write rights to that attribute.

The hash calculation is secret, and it probably contains data that is only accessible on the server: if it was known, you could avoid the read only restriction on attributes.

You can read more about this in this blog.

A final remark: you are not required to calculate the hash to perform automated testing. You receive the hash from the server, and you must return it. Most UI automated test tooling has no issue with this (LoadRunner / Ranorex to name two I have experience with).