WEBPAGE HACKING TEST - How secure is my encryption?
Thread Starter
10K+ Poster!!
Joined: May 2003
Posts: 11,977
Likes: 0
From: Brierley Hill
WEBPAGE HACKING TEST - How secure is my encryption?
This will be a good test for those that know about secured webpage flaws.
Its a simple bit of code that I devised in basic and ported it across to a webpage, and was wondering how secure it is. I obviously know how it works inside out, but from the information you have, I cant see it at all possible to get the username AND password to allow authentication.
And yes, there is both a username and password.
HERE!!!!
Its a simple bit of code that I devised in basic and ported it across to a webpage, and was wondering how secure it is. I obviously know how it works inside out, but from the information you have, I cant see it at all possible to get the username AND password to allow authentication.
And yes, there is both a username and password.
HERE!!!!
20K+ Super Poster.
Joined: May 2003
Posts: 20,599
Likes: 0
From: Ramsgate, Kent Drives: E39 530D Touring
you can do a view...source which will give you your encryption algorythm:
which if i could be arsed to sit here with a calculator n work it out i could work out what password etc. will let me in...
Code:
// **** ENCRYPTS USERNAME > RESULT IN USERCODE
i=0
n=0
while(i < username.length){
do{
m = username.charCodeAt(i);
if(m==100){
m = 69}
usercode *= m;
while (usercode > 1000000000000){
usercode = usercode / 10
usercode = Math.round(usercode)}
n++}
while (n <= i);
n = 0;
i++}
// *********************************************
// **** ENCRYPTS PASSWORD > RESULT IN PASSCODE
i=0
n=0
while(i < password.length){
do{
m = password.charCodeAt(i);
if(m==100){
m = 69}
passcode *= m;
while (passcode > 1000000000000){
passcode = passcode / 10
passcode = Math.round(passcode)}
n++}
while (n <= i);
n = 0;
i++}
Trending Topics
Too many posts.. I need a life!!
Joined: Aug 2003
Posts: 985
Likes: 2
From: Northamptonshire
Assuming what Jim is saying is correct and all the password authentication is done client side, I reckon you should rewrite the system and place it on the server side i.e. in something like a php script. As if the workings of you security are on public view (like client side code is) some smart arse will work it out!
Originally Posted by Jim Galbally
also i see it links directly to another webpage, so you could bypass it altogether if you knew the name of the redirected webpage
20K+ Super Poster.
Joined: May 2003
Posts: 20,599
Likes: 0
From: Ramsgate, Kent Drives: E39 530D Touring
heres a thouht... are you doing this as a fun learning thing or do you simply want some easy security on there? as im pretty sure IIS has security stuff built in anyway using the normal bits n bobs (i think it even does SSL too) would be muchos easier
Banned
Joined: Dec 2002
Posts: 142
Likes: 1
people, just because you can see the formula does not mean you can break it as any good formulas are one way hence the password is encryted again to to see if it's correct.
As to if this formula is one way and how 'strong' it is could only be answered by someone who is good with maths which I am not. So Jim put your calculator away as it will not help you here!!LOL
Is it using a standard one-way encrytion formula or did you make one up ?
As to if this formula is one way and how 'strong' it is could only be answered by someone who is good with maths which I am not. So Jim put your calculator away as it will not help you here!!LOL
Is it using a standard one-way encrytion formula or did you make one up ?
Banned
Joined: Dec 2002
Posts: 142
Likes: 1
--edited
scrap that, had a good look at, pretty sure it is a one way formula but at a guess it's not very strong and if you really wanted to a program could be written to give you the all string input possbility's for a given string input length from a passcode.
scrap that, had a good look at, pretty sure it is a one way formula but at a guess it's not very strong and if you really wanted to a program could be written to give you the all string input possbility's for a given string input length from a passcode.
Thread Starter
10K+ Poster!!
Joined: May 2003
Posts: 11,977
Likes: 0
From: Brierley Hill
also its not possible to disable the right click, its still easy to get round that.
all pages get cached in the temporary internet files, and these can simply be loaded with notepad to view.
all pages get cached in the temporary internet files, and these can simply be loaded with notepad to view.
Originally Posted by turbo man
lol, owned
Advanced PassionFord User
Joined: Apr 2004
Posts: 2,364
Likes: 0
I'm going to hazard a guess there's too many variables here......the 922968215732 (usercode) and 359751198262 (passcode) are the multiples of the Unicode values of the corresponding characters in the username & password, but without knowing how many characters there are in each, it's going to be guesswork to decrypt the username/password. Plus there's the manipulation of dividing the usercode by 10 if the total (m) is more than 1000000000000 before you reach the end of either the username or password, and then rounding it to the nearest integer.
I'm Finding My Feet Here Now
Joined: Jun 2003
Posts: 148
Likes: 0
With the information we have the only way to solve this problem is with brute force. By hand this is far too time consuming, so there would have to be something pretty special in the member's area to make it worthwhile.
You can make assumptions with regards to which characters are allowed in the password as the password is the name of the html file (obviously only certain characters are allowed in this situation).
Hiding the maths by making it server side would make it even tougher to crack.
ps. I make the only permissible character codes as follows:
33 to 64, 69, 97 to 99, 101 to 126.
You can make assumptions with regards to which characters are allowed in the password as the password is the name of the html file (obviously only certain characters are allowed in this situation).
Hiding the maths by making it server side would make it even tougher to crack.
ps. I make the only permissible character codes as follows:
33 to 64, 69, 97 to 99, 101 to 126.
Advanced PassionFord User
Joined: Apr 2004
Posts: 2,364
Likes: 0
Unless I'm using the formula wrong, I make "escort" to convert to 168,787,479,564, which isn't the 922,968,215,732 listed in the source?
101 * 115 * 99 * 111 * 114 * 116 = 1,687,874,795,640
That's greater than 1,000,000,000,000, so divide by 10 to get 168,787,479,564?
101 * 115 * 99 * 111 * 114 * 116 = 1,687,874,795,640
That's greater than 1,000,000,000,000, so divide by 10 to get 168,787,479,564?
Thread Starter
10K+ Poster!!
Joined: May 2003
Posts: 11,977
Likes: 0
From: Brierley Hill
fook knows dan, but thats the username and it says it if u enter it as a user
instead of saying incorrect user it say password not correct for user
i'll dig the code out sometime and have a look
Thread
Thread Starter
Forum
Replies
Last Post
TPM961
Restorations, Rebuilds & Projects.
19
Jan 15, 2018 10:50 AM
