Java Secure?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Java Secure?

  1. #1
    Member
    Join Date
    Feb 2003
    Posts
    50

    Java Secure?

    Ok heres my situation im trying to make a secure username and password prompt, but im kinda limited to what i can use because im using free geocities hosting (gah i know im buying some good hosting soon). And i used Coffeecup password wizard to make a .class login. Can anyone look at this and see if you can break in? I know this is a security site but im trying to secure it so i want to see if anyone can break into it. I tryed everything i knew to do, decompile it etc etc. And i found no easy way in. Website: http://www.geocities.com/ayp1320/HackThis/index.html

    Thanks!
    Hacker dan

  2. #2
    There was a way: Simply type http://www.geocities.com/ayp1320/index.htm and yipee...

    Perhaps make a redirect scheme to where if a user types the URL directly gives an error message, but if JavaScript is turned off, that can be bypassed pretty easily as well.

    Does your server allow .htaccess files? Heh, I will not even go there... let's put it this way... just make sure to make them read only

    Perhaps get hosting with server side access.

  3. #3
    Member
    Join Date
    Feb 2003
    Posts
    50
    no my index page isint my target URL try again heh. And im new to this i doubt it allows it because its crappy free hosting. How would i make a script so if you typed the target url in it would goto a error page?
    Hacker dan

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    A client-side login is *never* secure, because no matter how hard you try to make it secure, there are always ways around it.

    The only way of making it acceptably secure is to have it rely on redirecting the user to a directory with a difficult name to guess. Unfortunately, once there, they can bookmark it, or give the address to their friends and then they won't need the password any more.

    So if you use *any* client-side login (Javascript, Java, Flash etc), it won't be secure. On many of these, the password is simply inside the applet / Flash / Javascript, or a way to bypass the password is stored. Someone with the appropriate decompiler and/or knowledge can get around it.

  5. #5
    Member
    Join Date
    Feb 2003
    Posts
    50
    yep i thought of that too, but its all i have for now untill i buy some good hosting.
    Hacker dan

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    181
    as per normal slarty is spot on and beaten me to it. AS it a java applet the password on any machine that downloads (views it) so the password is there, just a matter of if you read the java code

    SittingDuck
    I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"

  7. #7
    I downloaded the JAVA code, decompiled it, and still no user name or password. All it does is read the crypted text in the PARAM set in the code. The only way I can see to get around this is to

    1. Crack the cyphered text. I went to Google and there was a decrypter, but alas, did not work. I think CoffeeCup changed the scheme since 2001

    Oh yeah, I even grabbed his whole web site, and the /HackThis/ directory did not yield any other files other than the page with the applet and the joylock class file. So, this looks pretty good....

  8. #8
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    I like unix too. This one is real easy to take care of. All you need is DJ Java Decompiler, and some Java knowledge.

    1. Save the html file that has the java applet in it.
    1. Look at the source of the page and type the name of the .class file in the code parameter of the APPLET tag after the last / in your address bar (joystick.class)
    2. Save the file somewhere (in this case its joystick.class)
    3. Decompile the class file with DJ
    4. at the end of the init() function, put the following code:

    textArea.append("\nuser: "+username[0]+"\npass: "+password[0]+"\nURL: "+urls[0]);

    5. recompile it with javac using the same name as the original file
    6. Place the class file and the html file you saved in the same directory
    7. Open the html file with your favorite java-enabled browser

    This will print the decyphered username, password, and url.

    The username, password, and url should never be stored plaintext in a variable, especially in java. Let that be a lesson to all.

    In order to make it more secure, one could encrypt the URL with the username and password combination. That way, the only way to decrypt the URL would be to know the username and password. The people who made this don't know jack about security. I mean, who honestly puts authentication data through reversible encryption anymore?
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision

  9. #9
    Member
    Join Date
    Sep 2002
    Posts
    98
    no way secure :

    target url:
    www.bored.com
    sss.rnhge.anj
    bbb.uvehg.mvw

    sub key table:
    fwsqrudelanpcgztkjxhbomiyv
    cykldjerimqvtoshzbwxpnagfu

    length(password) :9
    length(username):9
    length(url):13

    btw no need of a java decompiler .... you don't even have to know the username/password combination !

    congrats to cofeecup this thing sux
    if you want too have real security use php or other server side langs, need free host with php enabled here

  10. #10
    Member
    Join Date
    Feb 2003
    Posts
    50
    Thank you everyone, now i have a taste of how un secure this is. Ill try to learn PHP now.

    I have PHP now. Will it cost for a "php compiler" or is it like Java Script dont need one? Where can i learn PHP? And any additonal info on it would be great. Thanks in ahead of time.
    Hacker dan

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •