var aes256 = require("aes256")
const plaintext = JSON.stringify({id: 5552, admin: true})
const key = 'hopefully some (true) random generated key or one derived from a PBKDF'
const ciphertext = aes256.encrypt(key, plaintext)
// save the ciphertext somewhere
// some attacker do the following attack
let cracked = false
for (let i = 0; i < 36; i++) {
for (let j = 8; j < ciphertext.length - 1; j++) {
// change the ciphertext
const newCiphertext = ciphertext.substr(0, j) + i.toString(36) + ciphertext.substr(j + 1)
if (newCiphertext === ciphertext) continue
// submit the new ciphertext
// the server decrypt and validates the response
const newPlainText = aes256.decrypt(key, newCiphertext)
try {
// If the server accepts the response, done!
console.log(JSON.parse(newPlainText))
} catch (e) {
continue
}
}}