html password prompt

[Lithium88]

I was just wondering, If you veiw the html of a passworded web page can you change the html to bypass a password promt.

For example the original code would be this:

<form action="" method="POST"><input type="password" name="passwd"><input type="submit" name="Submit" value="Go"></form>

could you change this to this:

<input type="password" name="text1"> <font size="1"><input type="button" value="Go" name="Submit" onclick=javascript:validate(text2.value,"newbie",text1.value,"h4ck3r") >

This is an example from www.hdcwargame.com that I came up with. I already passed these levels so I am not asking for help with the wargame I just wonderd if you could do this and if it would work. Of couse you would have to save the changed html and open it in your browser but if you did this would the page validate "newbie" and "h4ck3r" instead of comparing it to a pwd file or pwl file on the server?????

by the way, I did try this and it didn't work but........ that dosen't mean that it dosen't work in theory. This is why I ask

[roswell1329]

Hmm.. Probably not. If you could provide us with the "action" that the form was pointing to, I could be more specific. Password authentication is performed by a number of different things, but if it's done right the protected page is the one that will be checking for a valid password, not the gateway page as you're suggesting. People could be using Perl, PHP, Java, Ruby, Python, or any number of a hundred CGI scripting languages to do authentication, but with any of them the idea behind authentication is to create some method of knowing when a person has been authenticated or not. After the password has been approved, the system will probably have to do something to remember that you've already been authenticated (perhaps by adding a cookie to your machine, redirecting you to a specific directory, or maintaining a browsing "session"). The point is, each protected page will probably be verifying that authentication each time you load it. If you try to spoof the system with a pre-made password on a gateway page, each protected page would probably also have to be altered to accept the spoofed password.

They could also be using the built-in .htaccess password authentication system provided with nearly all web servers out there. .htaccess authentication does not require any HTML code or CGI script in order for it to work, the web server will simply protect any web-pages where it finds a valid .htaccess file.

So, the short and long answer are really, "No". Good idea, though. Shows lateral thinking.

[ZomBieMann77]

well one problem i can see with your theory is that when you view site coding you are viewing it on your machine not on the server so even if you could change the code you would have to have a way to upload the modified html back to the server to replace the original.

[jaguar291]

Originally posted here by ZomBieMann77
well one problem i can see with your theory is that when you view site coding you are viewing it on your machine not on the server so even if you could change the code you would have to have a way to upload the modified html back to the server to replace the original.

Couldn't have said it better, when you view a webpage online and you change the source, your just changing it in your Temporary Internet Files folder, not on the server that holds the webpage. Thus any change, like changing the HTML coding to bypass a password prompt, is quite different. You would have to save the HTML file onto your computer, change it to do what you want, and still find a way to upload it to the server which holds the entire site.... so if you know how to do all that, have fun..

- Cheers, jaguar291

[Lithium88]

Thanx alot guys. It wasen't so much a question on how to as much as just theory. Thanks alot for the info. I kinda knew it couldn't work cause if it did the whole web would be in trouble. Just a thought.

P.S. but would you really have to load the page on the server? If you saved it in your computer wouldn't the go button (or whatever) still be pointing to protected page?? Like a web page you save as......... you can still click the links on the page even though the page is on your pc and not the server. I believe you that this type of thing won't work.... but this was just my line of thought when I started the thread.

Have a wonderful day............. may the forces of evil become confused on the way to your house.

[Tiger Shark]

Lithium: Actually all you are doing is changing what would be sent back to the server. The server is looking for the things the original source would provide. You are changing what you are providing so you would get and access denied/page not found error from the server. As has been said you would need to alter the whole web site to do what you suggest.

There are several systems that have been "hacked" where the actual submit is changed after authentication. For example.... Let's say you authorize to your online bank. The session is now set aside for you and you can browse all that lovely cash you have..... In many cases part of the url you request each time you move through your account would be something like "userid=736826461". There have been several information leaks where altering that user id to the next consecutive, (or any other valid one for that matter), and, instead of looking at your account, you would see someone elses. I believe this has occurred with at least 1 bank and a credit card company. I believe that it was possible to make alterations/transfers using that method too though I think they were discovered by the good guys before the bad guys found them......

[Lithium88]

oh yeah........... I know how to do all that. I run a website and have for about two years. Bad news is for the first year and 6 months it was a flop. Here in the past 3 months I have increased my traffic 10 fold. Makin about $2,000 a week PROFIT!!!!!! WOO HOO.

thank you all

[Maestr0]

I think the best way to go about that kind of thing would be to manually post your own values to the page in an attempt to break it with invalid input or test for SQL injection. See if you can make the server return sensitive information and work from there.

-Maestr0