Bypass this javascript?

how can i bypass this javascript?

<script language="javascript" type="text/javascript"> // Do not edit function login(){ var username= document.getElementById('username').value; // location of username var password= document.getElementById('password').value; // location of password var fullURL= ""; fullURL= "http://xxxxxxxxxxxxx/"+username + password; // compiled filename the loads user-file location.href=fullURL; } </script>

enter the right username and password into the texts boxes and it will take you to the right page :)

lol, your best bet would be trying to bruteforce it..

Been thinking about that too, also tryed to google for some page behind, but didn't find anything so then i start looking for the robots.txt but didn't find anything eather xD.

seeing as the username and password are the name of a directory or file.

you could do a dictionary attack on the url and try get common filenames / folders.

check the sites robots.txt? maybe they have a site map?

*also. please note. 20% warn for posting the actual link to the site you wish to "bypass" the login, without providing ownership details *

Glasklar wrote: fullURL= "http://xxxxxx/"+username + password; location.href=fullURL; It's interesting that the username is directly followed by the password in the URL (not separated as get variables etc); this means that if the username would be "abc" and the password is "123" then you could enter "abc123" as the username and leave the password field blank and still get logged in…

PS. Jävligt sjysst användarnamn du har B) Glasklar ftw ^^

Uber0n wrote: PS. Jävligt sjysst användarnamn du har B) Glasklar ftw ^^

Äsch, så bra är det inte, försök uttala helvetet på engelska :P

Mr_Cheese wrote: seeing as the username and password are the name of a directory or file.

you could do a dictionary attack on the url and try get common filenames / folders.

check the sites robots.txt? maybe they have a site map?

*also. please note. 20% warn for posting the actual link to the site you wish to "bypass" the login, without providing ownership details *

and when did you prove that it wasn't my site? don't you think you should have a little more information before unleashing the b& hammer?

also do you got any nice articles/lessons or w/e about this dictionary attack?

Glasklar wrote: [quote]Mr_Cheese wrote: seeing as the username and password are the name of a directory or file.

you could do a dictionary attack on the url and try get common filenames / folders.

check the sites robots.txt? maybe they have a site map?

*also. please note. 20% warn for posting the actual link to the site you wish to "bypass" the login, without providing ownership details *

and when did you prove that it wasn't my site? don't you think you should have a little more information before unleashing the b& hammer?

also do you got any nice articles/lessons or w/e about this dictionary attack?[/quote]

:O read wrong, thought it said directory attack, not dictionary xD im use to say bruteforce so i got confiused :O

Glasklar wrote: and when did you prove that it wasn't my site? don't you think you should have a little more information before unleashing the b& hammer?

Its your job to make sure your own posts are legal and valid, not mine.

Glasklar wrote: also do you got any nice articles/lessons or w/e about this dictionary attack?

Intellimapper was a web spider that included a dictionary attack function.

might be able to get a copy of that.

failing that, quickly code your own. extremely easy to do.

theargon has several wordlists that may be handy.

http://www.theargon.com/achilles/wordlists/theargonlists/

COM wrote: Äsch, så bra är det inte, försök uttala helvetet på engelska :P Glaehssclair? xD