Welcome to the MacNN Forums.

Scifience · Oct 1, 2004, 07:41 PM

<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<SCRIPT LANGUAGE="JavaScript">

</SCRIPT>
</head>

<body bgcolor="#CCCCCC">
<h2 align="center">Grade Reports</h2>
<p align="center"><br><br></p>
<p align="center"><img src="graphic.gif" align="middle"></p>

<form name=verify onsubmit="return check_password(verify)" >
<div align="center">
<table border="0" cellspacing="3" width="130">
<tr valign="middle"><td align="right"><div align="center"><b>Class</b></div></td></tr>

<tr valign="middle"><td align="right"><div align="center"><b>
<select name="classes">
<option value="AllClasses">All Classes</option>
</select>
</b></div></td></tr>

<tr valign="middle"><td><div align="center"><b>Last Name</b></div></td></tr>
<tr valign="middle"><td><div align="center"><input type="text" name="textfield" value="" maxlength="31"></div></td></tr>
<tr valign="middle"><td><div align="center"><b>Password</b></div></td></tr>
<tr valign="middle"><td><div align="center"><input type="password" name="textfield2" value="" maxlength="31"></div></td></tr>
<tr valign="middle"><td><div align="center"><input type="submit" name="view" value="View Report"></div></td></tr>

</table>
</div>
</form>
<hr>
<img src="security.gif" name="security" height="1" width="1" onLoad="get_report(verify)" onError="handle_error(verify)">
</body></html>

Would someone please explain to me how this code works? I don't know much about JavaScript, but I'm assuming that the password (or at least how the password is arrived at) should be able to be derived from here.

Don't worry, I'm not trying to do anything illegal, this if for my dad's school - I'm trying to prove that a non-SSL based client-side only security solution isn't a good idea. This is the code they would be using and I'm trying to figure out just how (in)secure it is. BTW, it is hosted on a .Mac account, so there is no server-side stuff at all that could be going on.

spiky_dog · Oct 1, 2004, 10:11 PM

this is the important line:

code = ((2*n+p)^13) % (alphanum.length-1)

(% is the mod operator.)

my analysis is that while it's stupid to have this done on the client side without encryption it nonetheless is non-trivial to go from "code" to "n" and "p". then again it looks as if n and p will be bounded in their values by the length of the string passed in so it would be an easy task to try all possible values. i'm not sure how to go from n and p to the original string, both because it's a friday night and because i'm not quite sure what this does and am too lazy to look it up:

alphanum.indexOf(s.substring( i,i+1 ))

djohnson · Oct 1, 2004, 10:26 PM

Don't worry, I'm not trying to do anything illegal, this if for my dad's school - I'm trying to prove that a non-SSL based client-side only security solution isn't a good idea. This is the code they would be using and I'm trying to figure out just how (in)secure it is. BTW, it is hosted on a .Mac account, so there is no server-side stuff at all that could be going on.

Agreed. Encryption on the client side can sometimes get tricky... Why not try posting this in the Developer forum or Web Developer forum?

Oh yeah, gotta love the lack of indentions!

ambush · Oct 1, 2004, 11:17 PM

Originally posted by spiky_dog:
this is the important line:

code = ((2*n+p)^13) % (alphanum.length-1)

(% is the mod operator.)

my analysis is that while it's stupid to have this done on the client side without encryption it nonetheless is non-trivial to go from "code" to "n" and "p". then again it looks as if n and p will be bounded in their values by the length of the string passed in so it would be an easy task to try all possible values. i'm not sure how to go from n and p to the original string, both because it's a friday night and because i'm not quite sure what this does and am too lazy to look it up:

alphanum.indexOf(s.substring( i,i+1 ))

it's as if you said what I wanted to say.

porieux · Oct 2, 2004, 12:33 AM

code = ((2*n+p)^13) % (alphanum.length-1;

alert('password = ' + code);

porieux · Oct 2, 2004, 12:34 AM

better yet open the page in your browser and when it is done loading paste this in the URL bar

javascript:alert('password = ' + code);

ringo · Oct 2, 2004, 05:41 AM

I don't do too much with javascript, so somebody correct me if I'm misreading this, but it looks like you could bypass the security check entirely by creating a client-side version of the page that always returns "invalid" as false, and that appends the full url of the site to the beginning of address in

parent.bottom.document.location = address + file + ".html"

It looks like the above is called if the password matches, I don't see why you couldn't get the variables you needed for address and file out of the other functions in the script to parse your own url without having to enter a password or back into the lame encrytion scheme at all.

Angus_D · Oct 2, 2004, 06:12 AM

The [code] tag exists for a reason. Use it.

Scifience · Oct 2, 2004, 08:44 AM

Thanks for the explinations, guys.

I got a hold of the CD of the program that is generating this code and tried seeing how it put together the grade files.

It seems that the actual files with the grades in them are plain html stored in a subdirectory called AllClasses. The files have seemingly encrypted names.

I guess my questions is this: Is there a way, using my knowledge of the directory structure and the code I pasted in above, to access the grades of a student if you knew only their last name? Essentially, is there a way to generate the password from the last name?

At the moment, I am suspecting that the last name field is insignificant (but then why would it be included) and that the file name is really the password in an encrypted form.

Thanks for the help everyone - if this was PHP, I'd know what do to with it, but since it isn't, I really appreciate the insight.

Angus_D · Oct 2, 2004, 09:50 AM

At a cursory glance I'd say yes.

ringo · Oct 2, 2004, 10:51 AM

Originally posted by Scifience:
I guess my questions is this: Is there a way, using my knowledge of the directory structure and the code I pasted in above, to access the grades of a student if you knew only their last name? Essentially, is there a way to generate the password from the last name?

Assuming that

var s = form.textfield.value
var t = form.textfield2.value

if value 1 is last name and value 2 is password, then you are correct about the name of the page being the encrypted version of last name and password.

If you knew both, you could plug these into the getname s and t variables to generate the filename.

The "bad password" routine is in the error handling section following the part of the script that shows the report....so if the name, password and class index parsed into a url does not refer to a valid page, the "bad password" message would appear.

This is far from ideal since you could pull the page numbers out of a browser history if the page was accessed at a computer lab or another public location (or maybe sniff them out while in transit) but isn't horribly bad since without knowing the lastname and password combination, you won't be able to access the report page....you couldn't arbitrarily pull up someone's report just by knowing their last name and what class they were in.

ambush · Oct 2, 2004, 11:29 AM

JS security is ridiculous...

get a real option

11011001 · Oct 2, 2004, 05:58 PM

There is no such thing as security through obscurity.

It is very irresponsible if these teachers choose to use this code on their website.