June 27th, 2003, 09:00 PM
Ok heres my situation im trying to make a secure username and password prompt, but im kinda limited to what i can use because im using free geocities hosting (gah i know im buying some good hosting soon). And i used Coffeecup password wizard to make a .class login. Can anyone look at this and see if you can break in? I know this is a security site but im trying to secure it so i want to see if anyone can break into it. I tryed everything i knew to do, decompile it etc etc. And i found no easy way in. Website: http://www.geocities.com/ayp1320/HackThis/index.html
June 27th, 2003, 09:18 PM
There was a way: Simply type http://www.geocities.com/ayp1320/index.htm and yipee...
Does your server allow .htaccess files? Heh, I will not even go there... let's put it this way... just make sure to make them read only
Perhaps get hosting with server side access.
June 27th, 2003, 09:46 PM
no my index page isint my target URL try again heh. And im new to this i doubt it allows it because its crappy free hosting. How would i make a script so if you typed the target url in it would goto a error page?
June 27th, 2003, 09:47 PM
A client-side login is *never* secure, because no matter how hard you try to make it secure, there are always ways around it.
The only way of making it acceptably secure is to have it rely on redirecting the user to a directory with a difficult name to guess. Unfortunately, once there, they can bookmark it, or give the address to their friends and then they won't need the password any more.
June 27th, 2003, 09:49 PM
yep i thought of that too, but its all i have for now untill i buy some good hosting.
June 27th, 2003, 10:30 PM
as per normal slarty is spot on and beaten me to it. AS it a java applet the password on any machine that downloads (views it) so the password is there, just a matter of if you read the java code
I\'m a SittingDuck, but the question is \"Is your web app a Sitting Duck?\"
June 27th, 2003, 11:02 PM
I downloaded the JAVA code, decompiled it, and still no user name or password. All it does is read the crypted text in the PARAM set in the code. The only way I can see to get around this is to
1. Crack the cyphered text. I went to Google and there was a decrypter, but alas, did not work. I think CoffeeCup changed the scheme since 2001
Oh yeah, I even grabbed his whole web site, and the /HackThis/ directory did not yield any other files other than the page with the applet and the joylock class file. So, this looks pretty good....
June 28th, 2003, 12:42 AM
I like unix too. This one is real easy to take care of. All you need is DJ Java Decompiler, and some Java knowledge.
1. Save the html file that has the java applet in it.
1. Look at the source of the page and type the name of the .class file in the code parameter of the APPLET tag after the last / in your address bar (joystick.class)
2. Save the file somewhere (in this case its joystick.class)
3. Decompile the class file with DJ
4. at the end of the init() function, put the following code:
textArea.append("\nuser: "+username+"\npass: "+password+"\nURL: "+urls);
5. recompile it with javac using the same name as the original file
6. Place the class file and the html file you saved in the same directory
7. Open the html file with your favorite java-enabled browser
This will print the decyphered username, password, and url.
The username, password, and url should never be stored plaintext in a variable, especially in java. Let that be a lesson to all.
In order to make it more secure, one could encrypt the URL with the username and password combination. That way, the only way to decrypt the URL would be to know the username and password. The people who made this don't know jack about security. I mean, who honestly puts authentication data through reversible encryption anymore?
$person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
June 28th, 2003, 01:07 AM
no way secure :
sub key table:
btw no need of a java decompiler .... you don't even have to know the username/password combination !
congrats to cofeecup this thing sux
if you want too have real security use php or other server side langs, need free host with php enabled here
June 28th, 2003, 02:31 AM
Thank you everyone, now i have a taste of how un secure this is. Ill try to learn PHP now.
I have PHP now. Will it cost for a "php compiler" or is it like Java Script dont need one? Where can i learn PHP? And any additonal info on it would be great. Thanks in ahead of time.