Invitation to steal my javascript-based password

**molendijk** · 03-22-2014, 11:07 PM

Hello dynamicdrivers. Try to steal my password here. Can you do it?

**traq** · 03-22-2014, 11:50 PM

yes

**molendijk** · 03-23-2014, 12:01 AM

That's fast!
I won't ask you yet how you did it, but you may want to give us the first letter of the password.

**traq** · 03-23-2014, 02:56 AM

I'll do you one better. PM'd.

**keyboard** · 03-23-2014, 06:56 AM

Code:

Your guess: _ e _ _ _ _ _. Congratulations. You are a genius.

Took me forever though.

**molendijk** · 03-23-2014, 01:46 PM

Well traq and keyboard, since you managed to steal my password, I'll try to do a better job.
One question: did you find it by downloading the files of the site?

**traq** · 03-23-2014, 06:18 PM

Technically, since "visiting" a webpage is just another way of saying you downloaded it, yes. But I didn't do anything special (didn't even use view source). Interestingly, I didn't see your onmouseleave event right away because I opened Chrome's dev tools (apparently, Chrome doesn't count switching windows as a mouseleave event

). Anyway, dev tools showed me everything. You could also find it by disabling javascript and inspecting the script on each page in sequence. Not a bad job, though! Creative approach. Fun exercise.

You could have made it much more difficult by hashing the password instead of leaving it in plain text. There are user implementations of md5 for javascript, for example. This still wouldn't be "secure," but it would have taken more dedication on the part of the attacker (for instance, I would have told you how to crack it, but probably wouldn't have bothered trying myself).

**molendijk** · 03-23-2014, 06:55 PM

Thanks for the useful remarks, traq.
What I actually did was including the page containing the password (password.html) in a div of the main page (=hackme.html) with the help of onhashchange. This ensured that hackme.html always displayed as hackme.html#password.html. I also put a script in password.html ensuring that this was also true for password.html (displaying as hackme.html#password.html too).
Viewing the source of hackme.html#password.html now only produced the actual source of hackme.html, not the source of the file (password.html) containing the password. So I thought I had created some kind of password protection until I discovered that the whole thing didn't work when the visitor downloaded the site. That's where I thought the onmouseleave might be useful. I was not aware of what you said about dev tools.
Thanks a lot. Very helpful.

**traq** · 03-23-2014, 08:33 PM

Dev tools almost make "view source" obsolete. Plus, they're in every major browser by default nowadays.

**keyboard** · 03-23-2014, 10:48 PM

One question: did you find it by downloading the files of the site?

Personally I just opened the site up in FireBug (an addon for FireFox) and that showed me each of the scripts that were currently running on that page. I was going to try and brute force it, but I couldn't be bothered