WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Web Forms filtered with SQL constraints

From: RSnake <rsnake () shocking com>
Date: Fri, 15 Oct 2004 16:56:47 -0700 (PDT)

Yah, any good hacker would then add something as simple as:

        newwindow=window.open('','name','height=200,width=150');
        var tmp = newwindow.document;
        tmp.write(decrypt(longstring));
        tmp.close();

... inside your script and now they have the decrypted source in a new
window (so they don't even have to muck around inside of the clutter of
the main window).  This isn't good security.  This is beyond trivial to
defeat.  If you are trying to hide it from people who know zero about JS
and are really no threat anyway, then yes, there is a very small amount
of value here.  But honestly, it's not the idiots that I'm worried
about.  Maybe it's just me, but it's the people who know how to get
around these programming 101 tricks that are the real threat.

On Fri, 15 Oct 2004, saphyr wrote:

| Date: Fri, 15 Oct 2004 11:13:20 +0200
| From: saphyr <saphyr () infomaniak ch>
| To: Michael Silk <michaels () phg com au>, Dr Death <drdeath4ever () hotmail com>,
|     webappsec () securityfocus com
| Subject: Re: Web Forms filtered with SQL constraints
| 
| 
| Hi list !
| 
| HTML code source can be obfuscated through a javascript method.
| BUT obfuscation only means what it means: obfuscation and neither
| 'encryption' nor 'hashing'.
| 
| Javascript has access to the document object model at runtime. Many
| document childs do have some 'value' or 'text' or even 'innerhtml'
| members, which can be modified at run time.
| 
| Here's an example of what you might be interrested into. Please take
| assumption that I quite never code in javascript so that this only a
| proof of concept, and might have many errors in it...
| 
| ---------------------jsscript.asp----------------------------
| var longstring = "iucpoint48cn09450945u90newuwpio....
|           ... many lines of longstring....
|          dfjks?fkj";
| 
| function decrypt(astring)
| {
|         //some decryption algorithm here
| }
| ---------------------jsscript.asp----------------------------
| 
| 
| 
| ---------------------obfuscated.html----------------------------
| <script src="jsscript.asp">
| <script>
|     var contentComponent = document.getElementById("pagecontent");
|     contentComponent.innerHTML = decrypt(longstring);
| </script>
| 
| <div id="pagecontent">
| </div>
| ---------------------obfuscated.html----------------------------
| 
| 
| The game here is to generate the 'jsscript.asp' dynamically in order
| to put the encrypted string into it. The hacker will have to understand
| the decryption algorithm to decipher the text.
| 
| Assuming the decryption algorithm should be clearly accessible, this
| method should only be used as an end-user  protection measure. Any
| good hacker will quickly find the way to reverse the decryption algorithm.
| 
| my 2 swiss francs..
| 
| .antoine
| 
| 
| 
| 
| 
| 
| 
| ------------oOoo---??----ooOo---------------------------
| http://www.nxtg.net/saphyr/  (blog perso)
| http://www.nxtg.net/is/ (blog - fr - communication web)
| http://dotnetjunkies.com/weblogs/afontes/ (blog - fr - communication web)
| E-mail: monprenom () mondomaine net
| -------------------------------------------------------------
| 
| 

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is 
expressly prohibited and may be unlawful.
Previous By Date Next
Previous By Thread Next

Current thread: