Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New to the CF scene
    Join Date
    Jan 2014
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Exclamation Need help with a password script i found.

    First of, this is my first post here

    I have found a javascript snippet for a specialized password script, though i
    do not know as to why it would be special.

    I am fairly new at javascript and am learning it as part of education.

    But something really does not add up with this thing, it is just...fishy.

    Looking forward to as if any would be kind enough to tell me what is going on in this code

    Code:
    <script language="JavaScript1.2">
    <!--
    
    
    function get_password() {
      orig_pass = prompt("Please enter password","");
      if (orig_pass!=null && orig_pass!="")
      password = new Array(orig_pass.length);
      for(i=0; i<orig_pass.length; i++) {
        password[i] = orig_pass.charCodeAt(i);
      }
      return password;
    }
    
    password = get_password();
    orig = unescape("sl/iECN%22ttp%3AP%20%3Chwxh.Iw3g/TR%22.Prhl/l%201//xhtTD/D1.%20r%20anionaOsTtdxa%22/%3EmhtmlLmY%3CmwDs%20%3D%22p%3A//Dh%20twxB3T.o1999nrH/h%3ETlC%22%3E%3Chea%22mtmmea%3CXmehttpot%20%20qTlvi%3D%22tentTC/nytC%22E%20cent%3DioLtes0/-ht%20chammn%3Bem/uMtf%20/%3Emt-/%22%3C0wtole9%2033g%3E/11im0t%20311%3C/m3m9ttt%3EWmmtyleamlsy%3Ed%3D1%22t/cssoe%20tm%20n%3C%21%21-mbodn-wm%7BdwmU%09bgroula/k-0mlDor00008%3Ad%23%3Bdmmr%7Dmody%2C1m-b%2C%3Ai%20m%7Bmcolo%20m-%09%20meF3FFmmm%7D%3CF%22%3Bm%3Et%3E.mmstylxmr/%3Cb%3De/admmmmm%3Emmoii%3Ewmmiv%20acm%20dgm1%22tcer%22%3Em%20nte%20%20ep-%3E133%200m1%20%201me3t3%20%3C/p%3Em9%221mpm%3Clp%3Esp%3B%3CF%26yb%3E%3Bmm.%20%20%26nbs%3C%3Cn%3E%3Cmo%3Etmmdiv%3Emm0/mtmbmodmm%3C/%3Cytmm%3Dhmummc/F-tmrm%20%3Cpppm9mp-//pte0%20%3Cxm11tmhd%3C/%20%3C%20%20%3Etmmn%23hynl%3Ellm");
    orig = orig.split("");
    
    passnum = orig.length % password.length;
    for(i=orig.length-1; i>=0; i--) {
    
      passnum--;
      if (passnum == -1) passnum = password.length - 1;
      
      pos1 = i;
      pos2 = i + password[passnum];
    
      if (pos2 >= orig.length) continue;
    
      char1 = orig[pos1];
      char2 = orig[pos2];
    
      orig[pos2] = char1;
      orig[pos1] = char2;
    
    }
    
    orig1 = "";
    for(i=0;i<orig.length;i++) {
      orig1 = orig1 + orig[i];
    }
    orig1 = orig1.replace(/mmm/g,"\r\n");
    
    document.write(orig1);
    
    //-->
    
    </script>

  • #2
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,641
    Thanks
    0
    Thanked 649 Times in 639 Posts
    That is an excellent example of antiquated and long dead JavaScript calls.

    The <!-- --> around the script is to hide the code from Internet Explorer 2 and Netscape 1 - neither of which understood JavaScript - both of those browsers have been dead for almost 20 years.

    The language attribute on the script tag was replaced almost that long ago by the type attribute.

    prompt() ceased to be used in live pages when Netscape 4 died. More recently it was used for debugging but now that all browsers have a built in debugger even that use is unnecessary.

    unescape() was declared obsolete long ago because it only supports limited character sets. It was replaced by decodeURI() a long time ago.

    document.write() has been obsolete since Netscape 4 died.

    Anyway the entire script is pointless - as is any JavaScript password script since the person accessing the page has complete access to the code of the script and can easily modify it to find out what password the script expects or even to bypass the entire password check (although not in this case where the entire page content is generated by the script and so the page is inaccessible to everyone without JavaScript- which is why such scripts are pointless).

    Insert console.log(password); just before the return password call to see what the password you enter gets converted to. You can also set breakpoints using the debugger built into your browser to test what values all of the variables have at each spot in the code.

    Just by looking at the code I can see that the entered password is being converted to an array of numbers and that those numbers are being used as offsets into the orig string to retrieve the characters to out put the web page and so if the wrong password were entered then the wrong offsets would be used resulting in a jumbled mess in place of the web page.
    Last edited by felgall; 01-05-2014 at 03:33 AM.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #3
    New to the CF scene
    Join Date
    Jan 2014
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by felgall View Post
    That is an excellent example of antiquated and long dead JavaScript calls.

    The <!-- --> around the script is to hide the code from Internet Explorer 2 and Netscape 1 - neither of which understood JavaScript - both of those browsers have been dead for almost 20 years.

    The language attribute on the script tag was replaced almost that long ago by the type attribute.

    prompt() ceased to be used in live pages when Netscape 4 died. More recently it was used for debugging but now that all browsers have a built in debugger even that use is unnecessary.

    unescape() was declared obsolete long ago because it only supports limited character sets. It was replaced by decodeURI() a long time ago.

    document.write() has been obsolete since Netscape 4 died.

    Anyway the entire script is pointless - as is any JavaScript password script since the person accessing the page has complete access to the code of the script and can easily modify it to find out what password the script expects or even to bypass the entire password check (although not in this case where the entire page content is generated by the script and so the page is inaccessible to everyone without JavaScript- which is why such scripts are pointless).

    Insert console.log(password); just before the return password call to see what the password you enter gets converted to. You can also set breakpoints using the debugger built into your browser to test what values all of the variables have at each spot in the code.

    Just by looking at the code I can see that the entered password is being converted to an array of numbers and that those numbers are being used as offsets into the orig string to retrieve the characters to out put the web page and so if the wrong password were entered then the wrong offsets would be used resulting in a jumbled mess in place of the web page.

    Well, what in the name of...all that is binary....... just out of curiosity what would the password, be? also, do you have a source for a better snippet?

  • #4
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,641
    Thanks
    0
    Thanked 649 Times in 639 Posts
    Quote Originally Posted by Comitatens View Post
    do you have a source for a better snippet?
    Yes - it can't be done properly in JavaScript - whichever server side language you are using will work much better - or you can use the web server itself.

    For example with PHP see http://www.felgall.com/php3.php for a very simple password script or http://www.felgall.com/php19.htm for a more advanced one that provides individual logins with each person being able to change their own password at any time.

    Alternatively with an Apache web server it can be done with a couple of lines in the .htaccess file and a .htpasswd file and apply to an entire folder or site in one go.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #5
    New to the CF scene
    Join Date
    Jan 2014
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Luckily i just have to make an example of a password code in javascript, not implement it serverside.

    But i am interested in the security of this, i found that there actually is a built in password function some thing like get.password which takes the keyboard input and compares it to a hidden value...but is that value hidden at all?

  • #6
    New to the CF scene
    Join Date
    Jan 2014
    Posts
    4
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Forgot to mention, our teacher will try to crack/bypass this code, so it has to be waterproof, its an excercise in making sound logic loops and minimizing attack vectors (do you call it that?).

    He has a preset server, which he will just attach it to, and then try to gain access (maybe we will be able to get a try too )

  • #7
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,029
    Thanks
    203
    Thanked 2,539 Times in 2,517 Posts
    As felgall says, you really need a new teacher.

    "That is an excellent example of antiquated and long dead JavaScript calls."

    You would not expect to be taught long-obsolete stuff in any other subject such as law, medicine or physics, would you?

    The only reasonably secure Javascript password script is one which redirects to an HTML page whose url is (the unguessable) password.
    Last edited by Philip M; 01-05-2014 at 01:13 PM. Reason: Typo

    All the code given in this post has been tested and is intended to address the question asked.
    Unless stated otherwise it is not just a demonstration.

  • Users who have thanked Philip M for this post:

    Comitatens (01-05-2014)


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •