Back To Programming / Scripting / Coding Forum

Hiding Source Code

wynpublishing
Newbie
Joined: 02 Jul 2003
Posts: 5
Status: Offline

July 2nd, 2003, 7:54 pm

I bet you cannot see this source code!
http://www.lightningjoe.com/secure.htm

Hey Bigwebmaster,
You obviously know your stuff. See if you can find out
what url this refer-a-friend form promotes.

I am writing this myself and so far I know of only one
possible way to get the source code.

See what you think.

NOTE: This is not an advertisment. There is nothing on this page
except the hidden source code in question.

http://www.lightningjoe.com/secure.htm
Greg

Anonymous
Bot
- www.ozzu.com
Joined: 25 Feb 2008
Posts: ?
Loc: Ozzuland
Status: Online

July 2nd, 2003, 7:54 pm

Bigwebmaster
Site Admin
- Website
Joined: 20 Dec 2002
Posts: 6864
Loc: Seattle, WA
Status: Offline

July 2nd, 2003, 9:26 pm

I haven't looked into it much yet, but is the URL:

http://www.lightningjoe.com/services/ReferAFriend.asp

If the URL redirects internally, such as through your ASP script then there is no way I can tell you what URL it really promotes. If the link is somehow contained in JavaScript or in HTML then I can get at it with more work.

Rock the 411 - Need members to join that are interested
Television, shows, movies, music, and celebrity gossip forum

Bigwebmaster
Site Admin
- Website
Joined: 20 Dec 2002
Posts: 6864
Loc: Seattle, WA
Status: Offline

July 2nd, 2003, 9:38 pm

Or is it one of these:

http://www.lightningjoe.com/contact.asp
http://www.lightningjoe.com/loginform.asp

I grabbed that from this JavaScript line:

Line number On/Off

Code: Select all

code='<form action=http://www.lightningjoe.com/services/ReferAFriend.asp method=post><input type=hidden name=Afl value=5><input type=hidden name=ReferID value="Form1"><input type=hidden name=Description value="Source Code Encryptor. This is a test.\nSee if you can find out which URL this form promotes!"><input type=hidden name=URL value="http://www.lightningjoe.com/secure.htm"><input type=hidden name=OwnerEmail value="webmaster@lightningjoe.com"><input type=hidden name=URLSuccess value="http://www.lightningjoe.com/loginform.asp"><input type=hidden name=URLFail value="http://www.lightningjoe.com/contact.asp"><table border=0 width=500 cellpadding=3 cellspacing=0><tr><td bgcolor="#000099" colspan=3 align=center><font color="#ffffcc" size="+1">Refer Your Friends To Lightning joe</font></td><tr><td bgcolor="#cccccc" colspan=2 align=center>Full Name</td><td bgcolor="#cccccc">Email Address</td></tr><tr><td bgcolor="#cccccc">You </td><td align=center bgcolor="#cccccc"><input type=text name=SenderName size=25></td><td bgcolor="#cccccc" align=center><input type=text name=SenderEmail size=25></td></tr><tr><td bgcolor="#cccccc">Friend #1 </td><td align=center bgcolor="#cccccc"><input type=text name=RecipName1 size=25></td><td bgcolor="#cccccc" align=center><input type=text name=RecipEmail1 size=25></td></tr><tr><td bgcolor="#cccccc">Friend #2 </td><td align=center bgcolor="#cccccc"><input type=text name=RecipName2 size=25></td><td bgcolor="#cccccc" align=center><input type=text name=RecipEmail2 size=25></td></tr><tr><td bgcolor="#cccccc">Friend #3 </td><td align=center bgcolor="#cccccc"><input type=text name=RecipName3 size=25></td><td bgcolor="#cccccc" align=center><input type=text name=RecipEmail3 size=25></td></tr><tr><td bgcolor="#cccccc">Friend #4 </td><td align=center bgcolor="#cccccc"><input type=text name=RecipName4 size=25></td><td bgcolor="#cccccc" align=center><input type=text name=RecipEmail4 size=25></td></tr><tr><td bgcolor="#cccccc">Friend #5 </td><td align=center bgcolor="#cccccc"><input type=text name=RecipName5 size=25></td><td bgcolor="#cccccc" align=center><input type=text name=RecipEmail5 size=25></td></tr><tr><td align=center bgcolor="#cccccc" colspan=3>Our Site Description:<BR><pre>Source Code Encryptor. This is a test.\nSee if you can find out which URL this form promotes!</pre></td></tr><tr><td align=center bgcolor="#cccccc" colspan=3>Your Comments About Our Site?<BR><textarea cols=55 rows=5 name=Comments></textarea></td></tr><tr><td align=center bgcolor="#cccccc" colspan=3><input type=checkbox name=chkMoreinfo value=True checked>I want to add a Refer a Friend Form To My Site</td></tr><tr><td align=center bgcolor="#000099" colspan=3><input type=submit name=submit value="Send Invitation"></td></tr></table>'

Rock the 411 - Need members to join that are interested
Television, shows, movies, music, and celebrity gossip forum

wynpublishing
Newbie
Joined: 02 Jul 2003
Posts: 5
Status: Offline

July 2nd, 2003, 11:57 pm

Yup. I was right you do know your stuff.

The url is actualy the /secure.htm itself.
What I did was put server side code saying essentially that
if the refering page (the one holding the script) is not
mydomain/secure.htm then write 'Access Denied'

When I tried entering the script URL (the syndicate.asp.... page)
directly into my browser, I could NOT see anything except
'Access Denied'

So you have helped me verify that depending on browser
versions and setting,etc. my method is still not
fool proof because you were able to see the form HTML code.

So to review:

1) HTML Page has javascript in it (that references page 2, the script)

2) Page 2 (the script) checks to see if the referring page (HTML Page)
is the same url as the encrypted one passed

3) Supposedly, the server is 'suppose' to deny writing back the code
if the referer is NOT the correct url.

But I guess you found a way around it.

Thanks for your input. It was fun!

I am glad to have found your forum.

Gregory

Bigwebmaster
Site Admin
- Website
Joined: 20 Dec 2002
Posts: 6864
Loc: Seattle, WA
Status: Offline

July 3rd, 2003, 12:58 am

Yup, you should know the referrer tag is easily manipulated and is not dependable if you are to really secure something. I actually got Access Denied the first time, but got around that within a minute. I think the majority of people wouldn't figure it out though, only the determined ones. There are tons of things you can do to protect code, but no matter what you do it will not ever be 100% protected.

Anyway we are glad you found the forum too and hope you stick around. Feel free to try and stump us anytime

Rock the 411 - Need members to join that are interested
Television, shows, movies, music, and celebrity gossip forum

UNFLUX
Genius
- Website
Joined: 20 Dec 2002
Posts: 6398
Loc: unflux.net
Status: Offline

July 3rd, 2003, 10:37 am

Bigwebmaster = 6
Challengers = 0

UNFLUX.net Hosting | Foto
Quality Web Hosting

wynpublishing
Newbie
Joined: 02 Jul 2003
Posts: 5
Status: Offline

July 3rd, 2003, 2:15 pm

Quote:

the referrer tag is easily manipulated and is not dependable

Feel like telling us how you manipulate the referrer?

Bigwebmaster
Site Admin
- Website
Joined: 20 Dec 2002
Posts: 6864
Loc: Seattle, WA
Status: Offline

July 3rd, 2003, 3:21 pm

Well I am sure there are numerous programs out there that can allow you to change your referrer URL in your browser, but the simpliest way without getting any programs is to just goto your site through a telnet application and simply connect to port 80 on your site and type something like this:

Line number On/Off

Code: Select all

GET http://www.lightningjoe.com/secure.htm HTTP/1.1
Accept: */*
Referer: http://www.lightningjoe.com/secure.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Host: www.lightningjoe.com
Connection: Keep-Alive

At the end make sure you press return twice. When you goto a website with your browser, this is basically all the browser is sending.

Rock the 411 - Need members to join that are interested
Television, shows, movies, music, and celebrity gossip forum

HeLLsHInE
Newbie
Joined: 08 Jul 2003
Posts: 10
Status: Offline

July 8th, 2003, 12:13 am

hiya guys
i'm new to this board, found the thread over search enginge
and now i'm asking me if u could help me

http://www.minerva-it-college.ch/~bscha ... rce_1.html

looks like a normal webpage, but the source code is scrambled and i don't know how to encrypt it.

Quote:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML lang=de
xml:lang="de" xmlns="http://www.w3.org/1999/xhtml"><HEAD><TITLE>Tabellen</TITLE>
<META content=2 http-equiv=expires>
<META content=no http-equiv=imagetoolbar>
<STYLE media=print type=text/css>BODY {
DISPLAY: none
}
</STYLE>

<META content=de name=Content-Language>
<META content=de name=language>
<META content="beni schaja" name=description>
<META content="Beni Schaja" name=author>
<META content="beni , schaja ,tabelle" name=keywords>
<META content="index, follow" name=robots>
<META content="Microsoft FrontPage 4.0" name=GENERATOR>
<META content=1.0 name=version>
<META content="07.07.2003 20:03" name=versiondate>
<META content="07.07.2003 20:03" name=lastchanged>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content=604800 http-equiv=expires>
<META content=yes name=MSSmartTagsPreventParsing>
<META content=DE name=geo.country>
<META content=de name=dc.language>
<META content="© 2003 beni schaja" name=copyright><LINK
href="Tabellen-Dateien/standart.css" rel=stylesheet
title="standart.css eine css file" type=text/css></HEAD>
<BODY>
<?xml version="1.0"?>
<p>
<SCRIPT language=JavaScript type=text/javascript></SCRIPT>
<NOSCRIPT>Zur Anzeige dieser Seite benötigen Sie einen JavaScript-fähigen
Browser.</NOSCRIPT> </BODY></HTML>

if any1 can help me i would be really thanksfull

Bigwebmaster
Site Admin
- Website
Joined: 20 Dec 2002
Posts: 6864
Loc: Seattle, WA
Status: Offline

July 8th, 2003, 3:51 am

The first step is to figure out what functions are really existing. The code

Line number On/Off

Code: Select all

<SCRIPT language=JavaScript type=text/javascript><!--
var d=70,w="",o="8em;rB\"nDh%)l>NzXdktV2=Fw6MACa/Ip.sJP39&Wyfu|x!T-qY v5gbScio:U01EOj_<(",i="";eval(unescape("%66%75%6E%63%74%69%6F%6E%20%76%28%6C%29%7B%76%61%72%20%6D%3D%27%27%2C%78%2C%74%2C%71%2C%63%3B%66%6F%72%28%78%3D%30%3B%78%3C%6C%2E%6C%65%6E%67%74%68%3B%78%2B%2B%29%7B%74%3D%6C%2E%63%68%61%72%41%74%28%78%29%3B%71%3D%6F%2E%69%6E%64%65%78%4F%66%28%74%29%3B%69%66%28%71%3E%2D%31%29%7B%63%3D%28%28%71%2B%31%29%25%64%2D%31%29%3B%69%66%28%63%3C%3D%30%29%7B%63%2B%3D%64%7D%6D%2B%3D%6F%2E%63%68%61%72%41%74%28%63%2D%31%29%7D%65%6C%73%65%7B%6D%2B%3D%74%7D%7D%77%2B%3D%6D%7D%3B%66%75%6E%63%74%69%6F%6E%20%79%79%79%28%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%77%29%3B%69%3D%22%22%7D"));

really is

Line number On/Off

Code: Select all

The rest of the data is basically encrypted and loaded into this function and then written with the document.write function.

Rock the 411 - Need members to join that are interested
Television, shows, movies, music, and celebrity gossip forum

Bigwebmaster
Site Admin
- Website
Joined: 20 Dec 2002
Posts: 6864
Loc: Seattle, WA
Status: Offline

July 8th, 2003, 4:05 am

So what you can do to obtain the real source is save the source of his webpage as a temporarily html file on your computer. Then modify the escaped part. So in other words If you make the html file look something like:

Line number On/Off

Code: Select all

<SCRIPT language=JavaScript type=text/javascript></SCRIPT>

If you did not notice I adjust his escaped function so that instead of executing the html as is, it actually replaces key characters like &,<,>, with things like & lt, and & rt, and so on so that it doesn't get interprted as true html or javascript and actually displays the html to the page. This was the part I added in to do this:

Line number On/Off

Code: Select all

var source;

for(counter=0; counter<encryptedstuff.length; counter++) {
if(encryptedstuff.charAt(counter) == '}')
source = source + '<br>' + encryptedstuff.charAt(counter) + '<br>';
else if(encryptedstuff.charAt(counter) == '&' && encryptedstuff.charAt(counter+1) == 'n' && encryptedstuff.charAt(counter+2) == 'b' && encryptedstuff.charAt(counter+3) == 's' && encryptedstuff.charAt(counter+4) == 'p' && encryptedstuff.charAt(counter+5) == ';') {
source = source + '&' + 'amp;' + 'nbsp;<br>';
counter += 5;
}
else if(encryptedstuff.charAt(counter) == 's' && encryptedstuff.charAt(counter+1) == 'c' && encryptedstuff.charAt(counter+2) == 'r' && encryptedstuff.charAt(counter+3) == 'i' && encryptedstuff.charAt(counter+4) == 'p' && encryptedstuff.charAt(counter+5) == ';') {
source = source + '&' + 'amp;' + 'nbsp;<br>';
counter += 5;
}

else if(encryptedstuff.charAt(counter) == '>')
source = source + '&' + 'gt;' + '<br>';
else if(encryptedstuff.charAt(counter) == '<')
source = source + '&' + 'lt;';
else if(encryptedstuff.charAt(counter) == '>' || encryptedstuff.charAt(counter) == ';' || encryptedstuff.charAt(counter) == '{')
source = source + encryptedstuff.charAt(counter) + '<br>';
else
source = source + encryptedstuff.charAt(counter);

}

document.write(source);

Rock the 411 - Need members to join that are interested
Television, shows, movies, music, and celebrity gossip forum

Bigwebmaster
Site Admin
- Website
Joined: 20 Dec 2002
Posts: 6864
Loc: Seattle, WA
Status: Offline

July 8th, 2003, 4:06 am

Anyway after doing all this you can see that the true source of his webpage is:

Line number On/Off

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML lang=de
xml:lang="de" xmlns="http://www.w3.org/1999/xhtml"><HEAD><TITLE>Tabellen</TITLE>
<META content=2 http-equiv=expires>
<META content=no http-equiv=imagetoolbar>
<STYLE media=print type=text/css>BODY {
DISPLAY: none
}
</STYLE>

<META content=de name=Content-Language>
<META content=de name=language>
<META content="beni schaja" name=description>
<META content="Beni Schaja" name=author>
<META content="beni , schaja ,tabelle" name=keywords>
<META content="index, follow" name=robots>
<META content="Microsoft FrontPage 4.0" name=GENERATOR>
<META content=1.0 name=version>
<META content="07.07.2003 20:03" name=versiondate>
<META content="07.07.2003 20:03" name=lastchanged>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content=604800 http-equiv=expires>
<META content=yes name=MSSmartTagsPreventParsing>
<META content=DE name=geo.country>
<META content=de name=dc.language>
<META content="© 2003 beni schaja" name=copyright> href="Tabellen-Dateien/standart.css" rel=stylesheet
title="standart.css eine css file" type=text/css></HEAD>

<?xml version="1.0"?>

<script language="JavaScript" type="text/javascript">

</script>

</script>
<![endif]-->
<h3>
Tagebuch</h3>
<table class="table_Y">
<tr>
<td class="tableY1">
<strong>
01.12.2002</strong>
</td>
<td class="tableY2">
Internationaler AIDS-Tag</td>
</tr>
<tr>
<td class="tableY1">
<strong>
06.12.2002</strong>
</td>
<td class="tableY2">
Ich war beim Samilchlaus und habe eine feine Mandarine bekommen!</td>
</tr>
</table>
<h3>
Stundenplan</h3>
<table class="table_X">
<tr>
<td class="tableX0">
&
</td>
<td class="tableX">
<strong>
Montag</strong>
</td>
<td class="tableX">
<strong>
Dienstag</strong>
</td>
<td class="tableX">
<strong>
Mittwoch</strong>
</td>
<td class="tableX">
<strong>
Donnerstag</strong>
</td>
<td class="tableX">
<strong>
Freitag</strong>
</td>
</tr>
<tr>
<td class="tableX0">
<strong>
9:30</strong>
</td>
<td class="tableX">
Mathe</td>
<td class="tableX">
PC-Werkstatt</td>
<td class="tableX">
PC-Werkstatt</td>
<td class="tableX">
&
</td>
<td class="tableX">
Elektrotechnik</td>
</tr>
<tr>
<td class="tableX0">
<strong>
9:15</strong>
</td>
<td class="tableX">
Englisch</td>
<td class="tableX">
PC-Werkstatt</td>
<td class="tableX">
PC-Werkstatt</td>
<td class="tableX">
&
</td>
<td class="tableX">
Elektrotechnik</td>
</tr>
<tr>
<td class="tableX0">
<strong>
10:30</strong>
</td>
<td class="tableX">
ABU</td>
<td class="tableX">
PC-Werkstatt</td>
<td class="tableX">
PC-Werkstatt</td>
<td class="tableX">
&
</td>
<td class="tableX">
Elektrotechnik</td>
</tr>
<tr>
<td class="tableX0">
<strong>
11:15</strong>
</td>
<td class="tableX">
Englisch</td>
<td class="tableX">
PC-Werkstatt</td>
<td class="tableX">
PC-Werkstatt</td>
<td class="tableX">
&
</td>
<td class="tableX">
Elektrotechnik</td>
</tr>
</table>

<NOSCRIPT>Zur Anzeige dieser Seite benötigen Sie einen JavaScript-fähigen
Browser.</NOSCRIPT> </HTML>

Rock the 411 - Need members to join that are interested
Television, shows, movies, music, and celebrity gossip forum

HeLLsHInE
Newbie
Joined: 08 Jul 2003
Posts: 10
Status: Offline

July 8th, 2003, 4:13 am

hehe

i love u man

Bigwebmaster
Site Admin
- Website
Joined: 20 Dec 2002
Posts: 6864
Loc: Seattle, WA
Status: Offline

July 8th, 2003, 4:18 am

I am unstoppable. Anyway welcome to Ozzu and we hope you stick around

Rock the 411 - Need members to join that are interested
Television, shows, movies, music, and celebrity gossip forum

HeLLsHInE
Newbie
Joined: 08 Jul 2003
Posts: 10
Status: Offline

July 8th, 2003, 7:43 am

just 1 little questions
how did get the function from the first part ?

Anonymous
Bot
- www.ozzu.com
Joined: 25 Feb 2008
Posts: ?
Loc: Ozzuland
Status: Online

July 8th, 2003, 7:43 am

1, 2, 3, 4, 5, 6, 7

To Reply to this topic you need LOGIN or REGISTER. It is free.

Post Information

Total Posts in this topic: 95 posts
Moderator: Moderator Team
Users browsing this forum: No registered users and 102 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Hiding Source Code

Post Information

Other Languages

Forum Network

Sponsored Links

Website Development

Graphics

OS & Hardware

Internet Marketing

Marketplace

Community Area

Ozzu Maintenance

Forum Partners

Forum Supporters