Hello dynamicdrivers. Try to steal my password here. Can you do it?
Last edited by traq; 03-23-2014 at 06:23 PM.
I'll do you one better. PM'd.
Well traq and keyboard, since you managed to steal my password, I'll try to do a better job.
One question: did you find it by downloading the files of the site?
Technically, since "visiting" a webpage is just another way of saying you downloaded it, yes. But I didn't do anything special (didn't even use view source). Interestingly, I didn't see your
Last edited by traq; 03-23-2014 at 06:26 PM.
Thanks for the useful remarks, traq.
What I actually did was including the page containing the password (password.html) in a div of the main page (=hackme.html) with the help of onhashchange. This ensured that hackme.html always displayed as hackme.html#password.html. I also put a script in password.html ensuring that this was also true for password.html (displaying as hackme.html#password.html too).
Viewing the source of hackme.html#password.html now only produced the actual source of hackme.html, not the source of the file (password.html) containing the password. So I thought I had created some kind of password protection until I discovered that the whole thing didn't work when the visitor downloaded the site. That's where I thought the onmouseleave might be useful. I was not aware of what you said about dev tools.
Thanks a lot. Very helpful.
Dev tools almost make "view source" obsolete. Plus, they're in every major browser by default nowadays.
Personally I just opened the site up in FireBug (an addon for FireFox) and that showed me each of the scripts that were currently running on that page. I was going to try and brute force it, but I couldn't be botheredOne question: did you find it by downloading the files of the site?