I’m working on understanding the data flow in a web application for educational purposes. I’ve noticed some interesting behavior regarding an API endpoint and I’m trying to figure out how it works.
The scenario:
When the page loads, user information is displayed in plain text.
This information is fetched via a POST request to the /v1/account/user/basic endpoint. (allegedly)
Both the request payload and the API response appear to be encoded/encrypted.
My questions:
Given that the information is displayed in plain text on the page, but the API request/response are encoded, does this imply that the decoding is happening client-side using JavaScript?
Is there a way to determine the decoding method being used? I’ve tried using Burp Suite and Param Miner but haven’t had success so far.
Are there any recommended approaches or tools for analysing this kind of setup to understand how the data is being processed?
I’m relatively new to API analysis and would appreciate any insights or suggestions on how to approach this problem. Thanks in advance for any help!
Here is a screenshot from my Burp session displaying the API request/response
What I’ve Tried:
I’ve searched through the JavaScript files for decryption keys, am I looking in the wrong files? I’m not sure if I’m missing something obvious here.
I’ve used Param Miner to try and guess query parameters, but haven’t had any success.
I attempted to decode the payload/response using Base64, but it doesn’t seem to be that simple. The encoding looks more complex, possibly some form of SHA256.