...

View Full Version : Circumnavigating javascript password system



rhodopsin
11-06-2004, 02:11 PM
I wish to know whether there is anyway for a website visitor to find the .html filename of all webpages on that website. Even those that they cannot get to because they are behind a login page that they do not have the password for.
The relevance of this question to my current work is that I am trying to implement a javascript password system:
----------------------------------------
PASSWORD SCRIPT
------------------
If a visitor wants to go the the password protected page, they must first enter the correct password on the previous page. (Note: The password is the protected filename without the .html ending.)
This method is secure as long as the person cannot find out the name of all the files on your server. Is it possible to stop them knowing the names of all the files on my server?
---------------------------------------
<BODY>

<SCRIPT LANGUAGE="JavaScript">
var password = ''
password=prompt('Please enter your password:','');
if (password!= null) {
location.href= password + ".html";
}
</SCRIPT>

</BODY>

So my question is:

Is it possible for a website viewer to see all the filenames on my server? Perhaps to bring up some kind of index to see all the filenames on my server?

If so they would be able to crack this password system. Tragedy!

By the way - I know that server side is the way to go for security - but just humour me. I am trying to do it with javascript.

Would really appreciate some advice. Thanks guys.

rhodopsin
11-06-2004, 03:20 PM
From the research I have done on the web - a fair proportion of people that use javascript for password protection of pages think that the following is the best (worth a look - is quite interesting):

http://www.codingforums.com/showthread.php?s=&threadid=10114

I realise that the script that I posted in my last post was a bit simplistic. But even this really good script (follow the link) is vulnerable to persons looking at your files on the server.

So, to re-ask my Q:

Is there anyway that I can prevent persons from discovering the names of all the files on my server? Best,

kansel
11-06-2004, 06:34 PM
Depending on how the webserver is set up Borgtex's system is safe enough for non-commercial projects. As long as the directory containing the LoginPassword.js files is "protected" by an index.html page. If you have access to the server you could turn indexes off, this would also protect the .js files.

rhodopsin
11-06-2004, 11:19 PM
"As long as the directory containing the LoginPassword.js files is "protected" by an index.html page."

What do you mean by "protected"? Some people have said to me that creating an index.html page is enough to protect a directory - doesn;t matter what is on it. Just its pure existance is a defence as it stops people creating their own index.html to see the files in the directory. Is this true? Am I on the right track?

scroots
11-06-2004, 11:39 PM
like a .htaccess refer check would protect it, so if it wasn't your website accessing it, it would prompt for a password.

I have a program that can download your entire site, all the files and folders, that are accessable so could probably by pass it if required.

scroots

kansel
11-06-2004, 11:53 PM
What I meant by "protected" is exactly that. It essentially hides your files from casual browsing, but you need server-side to really protect anything.

fci
11-07-2004, 12:43 AM
well.. one way to see if something got indexed on your site is to google it, ie,
http://www.google.com/search?num=100&hl=en&lr=&client=firefox-a&q=site%3Ahttp%3A%2F%2Fwww.codingforums.com&btnG=Search
The search term was:
site:http://www.codingforums.com
I believe you can tell spiders not to index your site(in robots.txt) but it's not something I've ever been concerned about.

I recommend something serverside if you want to really protect your stuff.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum