[ale] HTML encryption?
Geoffrey
esoteric at denali.atlnet.com
Wed Oct 31 08:09:01 EST 2001
I don't know the purpose of this particular app, but I agree with you
that I would hope it's not intended to create a secure solution. I've
seen another web site that did just that. It claimed that your credit
card was encrypted before it was sent. I noted that it was not using
ssl. I checked out the code and it was even more trivial then this
piece. Basically did an alphabetic shift of the characters. Took me
all of 5 minutes to 'decrypt' the solution. I sent email to the
'webmaster' but never heard anything back. Last I looked, it was still
using the same solution. Sad, because the person is either ignorant, or
doesn't care about the security of folks information.
"Stephen J. Pellicer" wrote:
>
> What a fun little exercise!
>
> Something compelled me to look at this one just to see what this webmonkey
> was up to. I have the code I was working with at the end of this message. I
> renamed most of the variables to make it more readable. I'm assuming the
> long string of junk was calling d: d("Some long string of junk"). To see
> what they have as the source I just dropped the webpage into a textarea form
> control to take a look at it. The regular expression before printing it to
> the textarea is to replace any textarea closing tags that are in the
> resulting source. This prevents it from breaking out of the included
> textarea control.
>
> The algorithm just goes through and does a simple replace. The replace works
> the same in the reverse direction as well. It basically takes any letters
> located in the last half of the key and substitutes them with something in
> the first half of the key and vice versa. The substitution is based upon
> distance from the middle of the key. This essentially sets up a "mirror" in
> the middle of the key. Anything to the right of the mirror reflects the
> letter on the left of the mirror. If the character in the message doesn't
> show up in the key it just passes through.
>
> Pretty neat little late night activity. I sure hope this algorithm wasn't
> meant to be a way to secure the web application. That's the main reason I
> looked at it because I've been doing a lot of web application assessments
> these days and I see silly tricks like this all the time. The simple
> substitution is easy for those using it because it's reversable with the
> exact same algorithm. That means the coders can just send all of their page
> source through the same code and use the results in the page they serve up.
> The simple substitution also means you don't get any change in frequencies
> of characters and this particular implementation passes through any
> character not in the key. Also, if the key repeats any characters you may
> run into problems decoding.
>
> Stephen
>
> <!--- snip --->
> <script language="JavaScript">
> <!--
> ky="";
>
> function d(msg) {
> ky=ky+codeIt(key,msg);
> }
>
> var key =
> "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";
> var
> index="0123456789012345678901234567890123456789012345678901234567890123456";
> var test="hello"
> var rslt="NQJJG"
>
> function codeIt (mKey, eMsg) {
> var indexInKey, halfKeyLen = mKey.length / 2, result = "", dv;
> for (var x = 0; x < eMsg.length; x++) {
> // Walk through characters in message
> indexInKey = mKey.indexOf(eMsg.charAt(x));
> if (indexInKey > halfKeyLen) {
> // Character in message is in second half of key
> dv = indexInKey - halfKeyLen;
> result = result + mKey.charAt(33 - dv);
> }else {
> if (key.indexOf(eMsg.charAt(x)) < 0) {
> result = result + eMsg.charAt(x)
> }else {
> dv = halfKeyLen - indexInKey;
> result = result + mKey.charAt(33 + dv);
> }
> }
> }
> return result;
> }
> //d("<FORM><INPUT type=hidden name=haxor
> value=secret><TEXTAREA>Junk</TEXTAREA><INPUT type=submit></FORM>");
> d("4pgdi34mhfab B6FQ=NMRRQH HUIQ=NU7GD
> 9UJAQ=CQSDQB34bqXbudqu3lAHK4/bqXbudqu34mhfab B6FQ=CATIMB34/pgdi3");
> re = /<\/textarea>/gi;
> junk = ky.replace(re, "<\\/textarea>");
> document.write("<TEXTAREA cols=60 rows=30>"+junk+"</TEXTAREA>");
> //document.write(ky);
> //-->
> </SCRIPT>
> <HTML><HEAD>
> <TITLE>Junk</TITLE></HEAD><BODY>
> </BODY></HTML>
> <!---- Done ------------>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
--
Until later: Geoffrey esoteric at denali.atlnet.com
"...the system (Microsoft passport) carries significant risks to users
that
are not made adequately clear in the technical documentation available."
- David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
- http://www.avirubin.com/passport
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list