Results 1 to 10 of 10

Thread: Invitation to steal my javascript-based password

  1. #1
    Join Date
    Sep 2007
    Location
    The Netherlands
    Posts
    1,321
    Thanks
    30
    Thanked 137 Times in 132 Posts
    Blog Entries
    29

    Default Invitation to steal my javascript-based password

    Hello dynamicdrivers. Try to steal my password here. Can you do it?

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    yes
    Last edited by traq; 03-23-2014 at 06:23 PM.

  3. #3
    Join Date
    Sep 2007
    Location
    The Netherlands
    Posts
    1,321
    Thanks
    30
    Thanked 137 Times in 132 Posts
    Blog Entries
    29

    Default

    That's fast!
    I won't ask you yet how you did it, but you may want to give us the first letter of the password.

  4. #4
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

  5. #5
    Join Date
    Mar 2011
    Location
    N 11 19' 0.0012 E 142 15' 0
    Posts
    1,509
    Thanks
    41
    Thanked 89 Times in 88 Posts
    Blog Entries
    3

    Default

    Code:
    Your guess: _ e _ _ _ _ _. Congratulations. You are a genius.
    Took me forever though.

  6. #6
    Join Date
    Sep 2007
    Location
    The Netherlands
    Posts
    1,321
    Thanks
    30
    Thanked 137 Times in 132 Posts
    Blog Entries
    29

    Default

    Well traq and keyboard, since you managed to steal my password, I'll try to do a better job.
    One question: did you find it by downloading the files of the site?

  7. #7
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    Technically, since "visiting" a webpage is just another way of saying you downloaded it, yes. But I didn't do anything special (didn't even use view source). Interestingly, I didn't see your onmouseleave event right away because I opened Chrome's dev tools (apparently, Chrome doesn't count switching windows as a mouseleave event ). Anyway, dev tools showed me everything. You could also find it by disabling javascript and inspecting the script on each page in sequence. Not a bad job, though! Creative approach. Fun exercise.

    You could have made it much more difficult by hashing the password instead of leaving it in plain text. There are user implementations of md5 for javascript, for example. This still wouldn't be "secure," but it would have taken more dedication on the part of the attacker (for instance, I would have told you how to crack it, but probably wouldn't have bothered trying myself).
    Last edited by traq; 03-23-2014 at 06:26 PM.

  8. The Following User Says Thank You to traq For This Useful Post:

    molendijk (03-23-2014)

  9. #8
    Join Date
    Sep 2007
    Location
    The Netherlands
    Posts
    1,321
    Thanks
    30
    Thanked 137 Times in 132 Posts
    Blog Entries
    29

    Default

    Thanks for the useful remarks, traq.
    What I actually did was including the page containing the password (password.html) in a div of the main page (=hackme.html) with the help of onhashchange. This ensured that hackme.html always displayed as hackme.html#password.html. I also put a script in password.html ensuring that this was also true for password.html (displaying as hackme.html#password.html too).
    Viewing the source of hackme.html#password.html now only produced the actual source of hackme.html, not the source of the file (password.html) containing the password. So I thought I had created some kind of password protection until I discovered that the whole thing didn't work when the visitor downloaded the site. That's where I thought the onmouseleave might be useful. I was not aware of what you said about dev tools.
    Thanks a lot. Very helpful.

  10. #9
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 517 Times in 503 Posts
    Blog Entries
    5

    Default

    Dev tools almost make "view source" obsolete. Plus, they're in every major browser by default nowadays.

  11. The Following User Says Thank You to traq For This Useful Post:

    mlegg (03-23-2014)

  12. #10
    Join Date
    Mar 2011
    Location
    N 11 19' 0.0012 E 142 15' 0
    Posts
    1,509
    Thanks
    41
    Thanked 89 Times in 88 Posts
    Blog Entries
    3

    Default

    One question: did you find it by downloading the files of the site?
    Personally I just opened the site up in FireBug (an addon for FireFox) and that showed me each of the scripts that were currently running on that page. I was going to try and brute force it, but I couldn't be bothered

  13. The Following User Says Thank You to keyboard For This Useful Post:

    molendijk (03-23-2014)

Similar Threads

  1. Replies: 0
    Last Post: 04-01-2011, 04:53 PM
  2. Password strength with javascript
    By web2crawler in forum JavaScript
    Replies: 1
    Last Post: 06-04-2009, 07:15 AM
  3. Resolved Login/Password redirect based on username
    By lrickyutah in forum Looking for such a script or service
    Replies: 5
    Last Post: 03-12-2009, 01:14 AM
  4. Virus called "Invitation" notification
    By fileserverdirect in forum Computer hardware and software
    Replies: 6
    Last Post: 12-08-2007, 01:48 PM
  5. [Javascript] Class-Based Javascript Analog Clock
    By ByteMyCode in forum Submit a DHTML or CSS code
    Replies: 2
    Last Post: 10-14-2006, 10:13 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •