Javascript Password Puzzle

  • Sogo7
  • Newbie
  • Newbie
  • User avatar
  • Posts: 6
  • Loc: UK

Post 3+ Months Ago

Here's a little brain teaser for you all.

A client wants a secure members only area of thier website with username/password access control, however the sites web host does not support any form of server side scripting and to complicate matters further the client will not or cannot move host.

How would you code it?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

htaccess

http://www.htmlite.com/HTA006.php
http://www.google.com/#sclient=psy&hl=e ... 393480168f
  • Sogo7
  • Newbie
  • Newbie
  • User avatar
  • Posts: 6
  • Loc: UK

Post 3+ Months Ago

Nice try, but no cigar.
Was the first thing I thought of but host does not permit any access server side.

All you have is an online WYSIWYG builder with a simple view source HTML edit option that thankfully allows Javascript to be inserted.

So it has to be done using client side Javascript and must be secure.

Common sense says there's no way it could provide any real measure of security, but this would not be a brain teaser if the answer was easy.

Rest assured this was a real life challange given to me by a client earlier this year and believe it or not there is a solution.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Only thing comes to mind is javascript but those things aren't very secure.
  • Sogo7
  • Newbie
  • Newbie
  • User avatar
  • Posts: 6
  • Loc: UK

Post 3+ Months Ago

A sheet of paper is fragile yet a telephone directory can stop a bullet.

Look beyond the weakness of the language and examine its strengths.



It took me a week, couple of nights without sleep and coffee so thick you could slice it before I figured out how to do this :lol: . When I have enough posts to permit adding a URL will send answer via private message.
  • WritingBadCode
  • Graduate
  • Graduate
  • User avatar
  • Posts: 214
  • Loc: Sweden

Post 3+ Months Ago

Please send me the answer in private (I know for a fact I won't figure it out on my own unfortunately).

But I'm very curious on how you solved it.
  • Zealous
  • Guru
  • Guru
  • User avatar
  • Posts: 1240
  • Loc: Sydney

Post 3+ Months Ago

Code: [ Select ]
<script type = "text/javascript">

// Note: Like all Javascript password scripts, this is hopelessly insecure as the user can see
//the valid usernames/passwords and the redirect url simply with View Source. 
// And the user can obtain another three tries simply by refreshing the page. 
//So do not use for anything serious!

var count = 2;
function validate() {
var un = document.myform.username.value;
var pw = document.myform.pword.value;
var valid = false;

var unArray = ["Philip", "George", "Sarah", "Michael"]; // as many as you like - no comma after final entry
var pwArray = ["Password1", "Password2", "Password3", "Password4"]; // the corresponding passwords;

for (var i=0; i <unArray.length; i++) {
if ((un == unArray[i]) && (pw == pwArray[i])) {
valid = true;
break;
}
}

if (valid) {
alert ("Login was successful");
window.location = "http://www.google,com";
return false;
}

var t = " tries";
if (count == 1) {t = " try"}

if (count >= 1) {
alert ("Invalid username and/or password. You have " + count + t + " left.");
document.myform.username.value = "";
document.myform.pword.value = "";
setTimeout("document.myform.username.focus()", 25);
setTimeout("document.myform.username.select()", 25);
count --;
}

else {
alert ("Still incorrect! You have no more tries left!");
document.myform.username.value = "No more tries allowed!";
document.myform.pword.value = "";
document.myform.username.disabled = true;
document.myform.pword.disabled = true;
return false;
}

}

</script>

<form name = "myform">
<p>ENTER USER NAME <input type="text" name="username"> ENTER PASSWORD <input type="password" name="pword">
<input type="button" value="Check In" name="Submit" onclick= "validate()">
</p>

</form>
  1. <script type = "text/javascript">
  2. // Note: Like all Javascript password scripts, this is hopelessly insecure as the user can see
  3. //the valid usernames/passwords and the redirect url simply with View Source. 
  4. // And the user can obtain another three tries simply by refreshing the page. 
  5. //So do not use for anything serious!
  6. var count = 2;
  7. function validate() {
  8. var un = document.myform.username.value;
  9. var pw = document.myform.pword.value;
  10. var valid = false;
  11. var unArray = ["Philip", "George", "Sarah", "Michael"]; // as many as you like - no comma after final entry
  12. var pwArray = ["Password1", "Password2", "Password3", "Password4"]; // the corresponding passwords;
  13. for (var i=0; i <unArray.length; i++) {
  14. if ((un == unArray[i]) && (pw == pwArray[i])) {
  15. valid = true;
  16. break;
  17. }
  18. }
  19. if (valid) {
  20. alert ("Login was successful");
  21. window.location = "http://www.google,com";
  22. return false;
  23. }
  24. var t = " tries";
  25. if (count == 1) {t = " try"}
  26. if (count >= 1) {
  27. alert ("Invalid username and/or password. You have " + count + t + " left.");
  28. document.myform.username.value = "";
  29. document.myform.pword.value = "";
  30. setTimeout("document.myform.username.focus()", 25);
  31. setTimeout("document.myform.username.select()", 25);
  32. count --;
  33. }
  34. else {
  35. alert ("Still incorrect! You have no more tries left!");
  36. document.myform.username.value = "No more tries allowed!";
  37. document.myform.pword.value = "";
  38. document.myform.username.disabled = true;
  39. document.myform.pword.disabled = true;
  40. return false;
  41. }
  42. }
  43. </script>
  44. <form name = "myform">
  45. <p>ENTER USER NAME <input type="text" name="username"> ENTER PASSWORD <input type="password" name="pword">
  46. <input type="button" value="Check In" name="Submit" onclick= "validate()">
  47. </p>
  48. </form>


i was looking over this and i got a flashing light globe above my head but i fear i may be wrong

Now not sure how many people saw the Captain Crunch Team C99sh shell, if you looked at the source it was read in base64, now i am not sure if that only apply to lets say PHP but what if we could do the same with HTML as The atob() and btoa() JavaScript methods, defined in the HTML5 draft specification, provide base64 encoding and decoding functionality to web pages. The atob method is unusual in that it does not ignore whitespace or new lines, throwing an INVALID_CHARACTER_ERR instead. The btoa method outputs padding characters, but these are optional in the input of the atob method. (note from wiki)

hhmm now that i think of it, it could be converted back but what would be shown in source?

food for thought and i hope this post is not a failure of massive proportion.
  • Nightslyr
  • Proficient
  • Proficient
  • Nightslyr
  • Posts: 283

Post 3+ Months Ago

Sogo7 wrote:
A sheet of paper is fragile yet a telephone directory can stop a bullet.

Look beyond the weakness of the language and examine its strengths.



It took me a week, couple of nights without sleep and coffee so thick you could slice it before I figured out how to do this :lol: . When I have enough posts to permit adding a URL will send answer via private message.


I'm curious to see your solution as well.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9086
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

The only possible thing I can think of that would be secure, is for the content of this members area to be completely encrypted before you place it in your HTML. You would then provide the customers who need access with the key or password to decrypt it and display it to the browser. Of course your page would have a JavaScript based program that would ask for the password which would decrypt the data and dynamically display it to the browser.

This would be very similar to how when you create an Adobe PDF document, you can encrypt the entire document with a password, of which you can send to anybody. Nobody would be able to actually read the content of the PDF document unless they had that password, yet everyone still has access to the source of the PDF, just like everyone would have access to the source of this HTML page. The source is useless though without the key to decrypt it.

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 112 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.