Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Hacking Javascripts


Hacking Javascripts

By ghostghost | 9300 Reads |
0     0

Allright, for all you peeps out there who are having trouble hacking your way through a simple javascript, I wrote this simple but effective article.

Let's start with the following question: What happens when we enter our password into a javascript? OR What actions performs the script to verify us?

The answer is simple: The script compares our input with a given value or variable.

Let us look a 3 different examples:

  1. Comparing with a given value

function checkpass { if (enteredpassword=="dapass") { alert("You got it!") } else { alert("Invalid UserID") } }

I suppose nobody has problems with this. The password you need to enter is dapass.

  1. Comparing with a variable

function checkpass { var pass = "dapass"

if (enteredpassword==pass) { alert("You got it!") } else { alert("Invalid UserID") } }

I think this is also a very simple script. You clearly see what value/variable the script is comparing your input to and what its value is.

  1. Comparing with a variable but…

function checkpass { var pass = "da" var pass2 = "pass" var pass3 = pass + pass2 //this line combines "da" and "pass" into "dapass"

if (enteredpassword==pass3) { alert("You got it!") } else { alert("Invalid UserID") } }

John Doe might think: "w00t this is too easy!" and yes this is an easy script but it's the concept that counts. What if you all sorts of calculations and functions that are editing the final variable. You could reconstruct everything but that will take a while, no? John Doe will possibly think: "I will just enter javascript:alert(pass3) in my browser to pop up a window with the pass. OK… huh? Why is the box empty?"

A big hint to everyone: always try the script with some bibberish else some variables/actions won't yet be initialized/used. So no wonder JD gets an empty alertbox: the operation pass + pass2 in the pass3 variable was never excuted thus it doesn't contain any value!

After excuting the script with random values JD finds the pass with javascript:alert(pass3) and he lives happely ever after…

NOTE 1: Scripts could not be in the page itself but in an external file. You can use the JSView extension for Firefox to easily find external javascripts/css-files.

NOTE 2: the method described in 3 requires some logical thinking () and you will need to view the script itself to get the variable (duh!). () e.g. if the script says if (enteredpassword==pass) {…} don't start looking in the variable pass3 or anything ;)

Voila, I hope this article helped you and contained just what you were expecting. If you want to know or you're thinking: "Why isn't this or that discussed here?" Just leave a comment and I'll add it or simply write a v2 of my article ;)

The_Cell

Comments
ghost's avatar
ghost 18 years ago

haha great :P u can solve almost all the stegs on this site.. and he lives happely ever after… made me laugh :P i was hoping maybe someone could make a new genre of javascript challenges? ones that need another .. concept….

ghost's avatar
ghost 18 years ago

I think you mean javascript instead of stegs :p Thanx fopr comment, I get the hint…I'll do my best ;)

ghost's avatar
ghost 18 years ago

yep lol javascripts** :P well i wasnt implying you, just talking in general :)

ghost's avatar
ghost 18 years ago

what if we get this type of pass check. ///

if(encrypt==checkpass&&tell==0){alert('Access Granted')

please pm me.

more of code is

alcode=deconstruct var encrypt=new Array() for(count=2;count<finalcode.length+2;count+=2){ eval("encrypt["+((count/2)-1)+"]='"+((finalcode.charAt(count-2)!='0')?finalcode.charAt(count-2):'')+""+finalcode.charAt(count-1)+"'") encrypt[((count/2)-1)]=acharset.charAt(Math.round((acharset.length*encrypt[((count/2)-1)])/100)) } encrypt=encrypt.join('') if(counttimes<times){mkasci(encrypt)} else { counttimes=0 if(encrypt==checkpass&&tell==0){alert('Access Granted');location.replace(storeup+encrypt.substring(0,5)+".html");} else { if(tell==1){document.write("<B>"+storeup+"</B> is encrypted as <B>"+encrypt+"</B>");} else { if(history.length>0){ alert("Access Denied"); history.go(-1); } else {location.replace("http://polymathic.tripod.com/hs/reject.html")}

ghost's avatar
ghost 18 years ago

sorry that looked sloppy.

just visit here and view the source, Thanks great article by the way..

Please Pm me regarding this

here's source link

http://www.bailacademy.org/restrictedarea.html

ghost's avatar
ghost 18 years ago

I suggest echoing all the variables and then try to roughly recontruct how the scrip edits all of its strings.

ghost's avatar
ghost 17 years ago

nice articleB)