Password -Javascript, can you beat it? 1

[invertigo]

Hello all,

Ive been working on a little javascript latelty to protect parts of my website. Its just a script with a single password (no username and such), but id like to know if its a bit save. Not that i coded it myself 100%, i used parts of existing javascript codes taken from Js websites and made parts myself.
So, id like to ask a few of the Pro's here to try hacking my script and retrieving the password .
I hope its a challenge for the ones who dont mind trying to beat it .

Ofcourse you are probably wondering why im asking this question here?. well, i got this website from a friend of mine who browses it regularly.. and he told me there are some fairly good Javascripters on .

But here is the script:


<SCRIPT LANGUAGE="JavaScript">
var str_in;
var str_out = "";
var num_in;
var num_out = "";
var alpha="ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHI";
InternetExplorer = (navigator.appName.indexOf("Microsoft")!=-1);
version5 = (navigator.appVersion.indexOf("5") != -1);
netscape = (navigator.appName.indexOf("Netscape") != -1);
version4 = (navigator.appVersion.indexOf("4.") != -1);
//ip=java.net.InetAddress.getLocalHost().getHostAddress();

if (netscape && version4) {
ip = "" + java.net.InetAddress.getLocalHost().getHostAddress();
if (ip.indexOf("131.211.") == 0)
// This would block anyone with ip adress different from 131.211.xxx.xxx
{pw = num_to_str();
go(pw);
}
else {
pw = passwd();
go(pw);
}
}
else {
pw = passwd();
go(pw);
}



function num_to_str() {
str_out = "";
num_out="9974899982878093";

for(i = 0; i < 16; i += 2) {
num_in = parseInt(num_out.substr(i,[2])) + 23;
num_in = unescape('%' + num_in.toString(16));
str_out+= num_in;
}

passwd = unescape(str_out);

num_out = "";
return(passwd);
}

function passwd() {
var password = "63995" ;
// The desired password
var message = "Whats the password im looking for?";
// The message to show when the user is prompted for the password
var incmess = "Wrong Pass!";
// The message to show if the password is incorrect
var pw = prompt (message,"");

h1=makehash(pw,3);
if (h1 != password) {
alert (incmess);
//window.history.back ();
pw="default";
return(pw);
}
else {
return(pw);
}
}

function makehash(pw,mult) {
if (pw == null) {
return;
}
pass=pw.toUpperCase();
hash=0;
for (i=0;i<8;i++) {
letter=pass.substring(i,i+1);
c=alpha.indexOf(letter,0)+1;
hash=hash*mult+c;
}
return(hash);
}

function go(pw){
location.href=pw+".shtml";
}


// End -->
</script>

ps, its not "63995" that would be to easy

Invertigo.

 

[LFI]

ziacbcab seems to work, whether or not that's what you intended!

Dave


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[invertigo]

Nopez, ziacbcab is not the message.
Its actually an existing word, and thisone will lead you to an unexisting page . -> ziacbcab.shtml

 

[ca8msm]

What happens if I browse to your site with javascript disabled?


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[invertigo]

That part of the website is not listed here,
But i have inserted another more easier code to prevent you entering the protected area

just a little sidequestion:
How do you guys get answers? Id like to do this myself as well are there programs for this or something?

 

[LFI]

Well, we could just keep posting "working" passwords and have you tell us when we've hit it, or you could put the script online somewhere where we could test.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[trollacious]

I think LFI's point was that there are solutions (at least one) to your code that are not correct, which means the algorithm is flawed.

Lee

 

[invertigo]

Yes, indeed.
So that means my algorithm is not right.. and that will make it undoable for you guys to get the right pass.
I will try to make a 2nd one with a better algorithm.

I will upload thisone to make it available, and easier for you guys to test. just by trial and error.. or bruteforce or whatever you wanna do .

But, im really interested in the wat LFI found this entry. Id like to know how you can do this. because that will prevent me from having to ask others for help next time .

 

[LFI]

I'll get back to you tomorrow... with the RIGHT answer!

'gotta run right now!

Dave


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[manarth]

I noticed your num_to_str function returns [!]zapzingt[/!].

---
Marcus
better questions get better answers - faq581-3339
accessible web design - zioncore.com

 

[ca8msm]

Yes, it does manarth!

I take it that you are only posting this as a simple test and that you don't intend to actually use this as protection on a web site do you (as it took me about 25 mins to figure out but I suspect the more advanced javascript programmers like manarth figured it out much quicker than that!).

There's also been previous threads on this technique (e.g. thread216-770162)


____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

 

[invertigo]

manarth is the winner.
He managed to get it .

Well, im not going to use this code. ive just been practicing Js lately.. and wanted to see if i could make something like this. I know that Js is a weak way to protect important files.

Btw, i think i've spotted another weakness in my script. With a simple website indexer you will find the "password" +.shtml very easily probably.

 

[BillyRayPreachersSon]

thread216-1143812

;-)


Dan

[tt]Dan's Page [blue]@[/blue] Code Couch

http://www.codecouch.com/dan/

[/tt]

 

[manarth]

woohoo! what's my prize ;-)

Thanks for an interesting thread invertigo - I'm glad you're not going to use the code (except, perhaps as a challenge on a codebreakers website?) but it was fun going through it.

Whilst the num_to_str function gave out the answer, the interesting thing is the number of other 'valid' answers. I wrote a brute force JavaScript to produce a list of every valid password, but with 26^8 possibilities my poor browser keeled over and died.

In the end, the security amounts to 'guess the url', which brings me onto another 'guess the url' game I played recently that you may find fun - Tricky's riddles (a student at Exeter uni with too much time on his hands!)

---
Marcus
better questions get better answers - faq581-3339
accessible web design - zioncore.com

 

[invertigo]

Im glad you liked it .

Your price? err.. you can use this script whenever you want to, post it on codebreakers websites . im not so into these websites.
But it looks like this script was more challenging than i tought it would be. (well, i couldnt solve it myself either in the end.. )

That tricky's riddles looks good, at least its a nice way to learn more from Js and the logarithms used with it. Lets see if i can past lvl 10

 

[LFI]

zapzingt is the answer? That's an "existing word"?

And you're right about the site indexer! That's why I wanted you to put it online!

Dave

P.S., a nice prize for manarth might be a star!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[invertigo]

If you tell me how to five him one, i would give it to him

 

[LFI]

Under and of manarth's posts, click the link that says 'Thank manarth for this valuable post!' You'll get a pop-up asking you to confirm your action. Click 'Click here to confirm...' and you've just awarded your first star!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!

 

[invertigo]

lol, found it already,
and i gave him 1
(i miss the edit button ^^)

 

[LFI]

'guess you figured it out!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
O Time, Strength, Cash, and Patience!