PDA

View Full Version : Need help with a password script i found.



Comitatens
Jan 4th, 2014, 11:37 PM
First of, this is my first post here :)

I have found a javascript snippet for a specialized password script, though i
do not know as to why it would be special.

I am fairly new at javascript and am learning it as part of education.

But something really does not add up with this thing, it is just...fishy.

Looking forward to as if any would be kind enough to tell me what is going on in this code :D




<script language="JavaScript1.2">
<!--


function get_password() {
orig_pass = prompt("Please enter password","");
if (orig_pass!=null && orig_pass!="")
password = new Array(orig_pass.length);
for(i=0; i<orig_pass.length; i++) {
password[i] = orig_pass.charCodeAt(i);
}
return password;
}

password = get_password();
orig = unescape("sl/iECN%22ttp%3AP%20%3Chwxh.Iw3g/TR%22.Prhl/l%201//xhtTD/D1.%20r%20anionaOsTtdxa%22/%3EmhtmlLmY%3CmwDs%20%3D%22p%3A//Dh%20twxB3T.o1999nrH/h%3ETlC%22%3E%3Chea%22mtmmea%3CXmehttpot%20%20qTlvi%3D%22tentTC/nytC%22E%20cent%3DioLtes0/-ht%20chammn%3Bem/uMtf%20/%3Emt-/%22%3C0wtole9%2033g%3E/11im0t%20311%3C/m3m9ttt%3EWmmtyleamlsy%3Ed%3D1%22t/cssoe%20tm%20n%3C%21%21-mbodn-wm%7BdwmU%09bgroula/k-0mlDor00008%3Ad%23%3Bdmmr%7Dmody%2C1m-b%2C%3Ai%20m%7Bmcolo%20m-%09%20meF3FFmmm%7D%3CF%22%3Bm%3Et%3E.mmstylxmr/%3Cb%3De/admmmmm%3Emmoii%3Ewmmiv%20acm%20dgm1%22tcer%22%3Em%20nte%20%20ep-%3E133%200m1%20%201me3t3%20%3C/p%3Em9%221mpm%3Clp%3Esp%3B%3CF%26yb%3E%3Bmm.%20%20%26nbs%3C%3Cn%3E%3Cmo%3Etmmdiv%3Emm0/mtmbmodmm%3C/%3Cytmm%3Dhmummc/F-tmrm%20%3Cpppm9mp-//pte0%20%3Cxm11tmhd%3C/%20%3C%20%20%3Etmmn%23hynl%3Ellm");
orig = orig.split("");

passnum = orig.length % password.length;
for(i=orig.length-1; i>=0; i--) {

passnum--;
if (passnum == -1) passnum = password.length - 1;

pos1 = i;
pos2 = i + password[passnum];

if (pos2 >= orig.length) continue;

char1 = orig[pos1];
char2 = orig[pos2];

orig[pos2] = char1;
orig[pos1] = char2;

}

orig1 = "";
for(i=0;i<orig.length;i++) {
orig1 = orig1 + orig[i];
}
orig1 = orig1.replace(/mmm/g,"\r\n");

document.write(orig1);

//-->

</script>

felgall
Jan 5th, 2014, 03:23 AM
That is an excellent example of antiquated and long dead JavaScript calls.

The <!-- --> around the script is to hide the code from Internet Explorer 2 and Netscape 1 - neither of which understood JavaScript - both of those browsers have been dead for almost 20 years.

The language attribute on the script tag was replaced almost that long ago by the type attribute.

prompt() ceased to be used in live pages when Netscape 4 died. More recently it was used for debugging but now that all browsers have a built in debugger even that use is unnecessary.

unescape() was declared obsolete long ago because it only supports limited character sets. It was replaced by decodeURI() a long time ago.

document.write() has been obsolete since Netscape 4 died.

Anyway the entire script is pointless - as is any JavaScript password script since the person accessing the page has complete access to the code of the script and can easily modify it to find out what password the script expects or even to bypass the entire password check (although not in this case where the entire page content is generated by the script and so the page is inaccessible to everyone without JavaScript- which is why such scripts are pointless).

Insert console.log(password); just before the return password call to see what the password you enter gets converted to. You can also set breakpoints using the debugger built into your browser to test what values all of the variables have at each spot in the code.

Just by looking at the code I can see that the entered password is being converted to an array of numbers and that those numbers are being used as offsets into the orig string to retrieve the characters to out put the web page and so if the wrong password were entered then the wrong offsets would be used resulting in a jumbled mess in place of the web page.

Comitatens
Jan 5th, 2014, 04:26 AM
That is an excellent example of antiquated and long dead JavaScript calls.

The <!-- --> around the script is to hide the code from Internet Explorer 2 and Netscape 1 - neither of which understood JavaScript - both of those browsers have been dead for almost 20 years.

The language attribute on the script tag was replaced almost that long ago by the type attribute.

prompt() ceased to be used in live pages when Netscape 4 died. More recently it was used for debugging but now that all browsers have a built in debugger even that use is unnecessary.

unescape() was declared obsolete long ago because it only supports limited character sets. It was replaced by decodeURI() a long time ago.

document.write() has been obsolete since Netscape 4 died.

Anyway the entire script is pointless - as is any JavaScript password script since the person accessing the page has complete access to the code of the script and can easily modify it to find out what password the script expects or even to bypass the entire password check (although not in this case where the entire page content is generated by the script and so the page is inaccessible to everyone without JavaScript- which is why such scripts are pointless).

Insert console.log(password); just before the return password call to see what the password you enter gets converted to. You can also set breakpoints using the debugger built into your browser to test what values all of the variables have at each spot in the code.

Just by looking at the code I can see that the entered password is being converted to an array of numbers and that those numbers are being used as offsets into the orig string to retrieve the characters to out put the web page and so if the wrong password were entered then the wrong offsets would be used resulting in a jumbled mess in place of the web page.


Well, what in the name of...all that is binary:confused::confused:....... just out of curiosity what would the password, be? also, do you have a source for a better snippet?

felgall
Jan 5th, 2014, 08:28 AM
do you have a source for a better snippet?

Yes - it can't be done properly in JavaScript - whichever server side language you are using will work much better - or you can use the web server itself.

For example with PHP see http://www.felgall.com/php3.php for a very simple password script or http://www.felgall.com/php19.htm for a more advanced one that provides individual logins with each person being able to change their own password at any time.

Alternatively with an Apache web server it can be done with a couple of lines in the .htaccess file and a .htpasswd file and apply to an entire folder or site in one go.

Comitatens
Jan 5th, 2014, 12:13 PM
Luckily i just have to make an example of a password code in javascript, not implement it serverside. :thumbsup:

But i am interested in the security of this, i found that there actually is a built in password function some thing like get.password which takes the keyboard input and compares it to a hidden value...but is that value hidden at all?:confused:

Comitatens
Jan 5th, 2014, 12:17 PM
Forgot to mention, our teacher will try to crack/bypass this code, so it has to be waterproof, its an excercise in making sound logic loops and minimizing attack vectors (do you call it that?).

He has a preset server, which he will just attach it to, and then try to gain access (maybe we will be able to get a try too :p)

Philip M
Jan 5th, 2014, 12:50 PM
As felgall says, you really need a new teacher.

"That is an excellent example of antiquated and long dead JavaScript calls."

You would not expect to be taught long-obsolete stuff in any other subject such as law, medicine or physics, would you?

The only reasonably secure Javascript password script is one which redirects to an HTML page whose url is (the unguessable) password.