javascript

B

Brandon

Guest
My friend just launched his webpage and said he had security on it. The Master H4x0r goes to the login and sees this in the source.



HTML: 
<!-- TWO STEPS TO INSTALL MULTIPLE USERS:
 
1. Copy the first code into the HEAD of your HTML document
2. Put the last coding into the BODY of your HTML document -->
 
<!-- STEP ONE: Copy this code into the HEAD of your login HTML document -->
 
<HEAD>
 
<SCRIPT LANGUAGE="JavaScript">
 
<!-- This script and many more are available free online at -->
<!-- The JavaScript Source!! http://javascript.internet.com -->
 
<!-- Begin
function Login(){
var done=0;
var username=document.login.username.value;
username=username.toLowerCase();
var password=document.login.password.value;
password=password.toLowerCase();
if (username=="member1" && password=="password1") { window.location="page1.html"; done=1; }
if (username=="member2" && password=="password2") { window.location="page2.html"; done=1; }
if (username=="member3" && password=="password3") { window.location="page3.html"; done=1; }
if (done==0) { alert("Invalid login!"); }
}
// End -->
</SCRIPT>
 
<!-- STEP TWO: Paste this code into the BODY of your HTML document -->
 
<BODY>
 
<center>
<form name=login>
<table width=225 border=1 cellpadding=3>
<tr><td colspan=2><center><font size="+2"><b>Members-Only Area!</b></font></center></td></tr>
<tr><td>Username:</td><td><input type=text name=username></td></tr>
<tr><td>Password:</td><td><input type=text name=password></td></tr>
<tr><td colspan=2 align=center><input type=button value="Login!" onClick="Login()"></td></tr>
</table>
</form>
</center>
 
<p><center>
<font face="arial, helvetica" size="-2">Free JavaScripts provided<br>
by <a href="http://javascriptsource.com">The JavaScript Source</a></font>
</center><p>
 
<!-- Script Size: 1.60 KB -->



I cant beleve it thats not security! I have decided to open a little site that will have 20 levels of JAVASCRIPT security and then will allow NedreN or another person with good knowlage of PHP and HTML try and get to the level 20. Then I will open the site to everyone so they can see how n00bish they are.
 
Last edited by a moderator:
Cynical

Cynical

Active Member
Messages
3,492
Reaction score
0
Points
36
Not being able to hack into people's personal stuff is considered n00b-ish?
 
B

Brandon

Guest
Everyone should be able to get into a javascript password.
 
dragoneye_xp

dragoneye_xp

New Member
Messages
330
Reaction score
0
Points
0
I fixed the XSS hole in my navigator. Bet that <script> trick won't work now...
 
Bryon

Bryon

I Fix Things
Messages
8,149
Reaction score
101
Points
48
Dragoneye, just use soemthing like: $string = strip_tags($string, '<a><b><u><i>'); to strip everythign but HTML bold, italic, underline, and ancor tags. I don't know if you knew that. I think you fixed it already? Hmm.

"Everyone should be able to get into a javascript password."

I know of a few javascript password scripts that are *almost* impossible to get the password from. :)
 
B

Brandon

Guest
What the ones where the page is a .html so if you enter asdfa it looks for asdfa.htm
 
dragoneye_xp

dragoneye_xp

New Member
Messages
330
Reaction score
0
Points
0
Dragoneye, just use soemthing like: $string = strip_tags($string, '<a><b><u><i>'); to strip everythign but HTML bold, italic, underline, and ancor tags. I don't know if you knew that. I think you fixed it already? Hmm.
Click to expand...

Thanks for the tip -- I never knew that. I think I'll go do some code revising now...
 
Last edited:
You must log in or register to reply here.
Top