[ale] HTML encryption?

Stephen J. Pellicer spellicer at itillious.com
Wed Oct 31 01:28:03 EST 2001


What a fun little exercise!

Something compelled me to look at this one just to see what this webmonkey
was up to. I have the code I was working with at the end of this message. I
renamed most of the variables to make it more readable. I'm assuming the
long string of junk was calling d: d("Some long string of junk"). To see
what they have as the source I just dropped the webpage into a textarea form
control to take a look at it. The regular expression before printing it to
the textarea is to replace any textarea closing tags that are in the
resulting source. This prevents it from breaking out of the included
textarea control.

The algorithm just goes through and does a simple replace. The replace works
the same in the reverse direction as well. It basically takes any letters
located in the last half of the key and substitutes them with something in
the first half of the key and vice versa. The substitution is based upon
distance from the middle of the key. This essentially sets up a "mirror" in
the middle of the key. Anything to the right of the mirror reflects the
letter on the left of the mirror. If the character in the message doesn't
show up in the key it just passes through.

Pretty neat little late night activity. I sure hope this algorithm wasn't
meant to be a way to secure the web application. That's the main reason I
looked at it because I've been doing a lot of web application assessments
these days and I see silly tricks like this all the time. The simple
substitution is easy for those using it because it's reversable with the
exact same algorithm. That means the coders can just send all of their page
source through the same code and use the results in the page they serve up.
The simple substitution also means you don't get any change in frequencies
of characters and this particular implementation passes through any
character not in the key. Also, if the key repeats any characters you may
run into problems decoding.

Stephen

<!--- snip --->
<script language="JavaScript">
<!--
ky="";

function d(msg) {
  ky=ky+codeIt(key,msg);
}

var key =
"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";
var
index="0123456789012345678901234567890123456789012345678901234567890123456";
var test="hello"
var rslt="NQJJG"

function codeIt (mKey, eMsg) {
  var indexInKey, halfKeyLen =  mKey.length / 2, result = "", dv;
  for (var x = 0; x < eMsg.length; x++) {
  // Walk through characters in message
    indexInKey = mKey.indexOf(eMsg.charAt(x));
    if (indexInKey > halfKeyLen) {
    // Character in message is in second half of key
      dv = indexInKey - halfKeyLen;
      result = result + mKey.charAt(33 - dv);
    }else {
      if (key.indexOf(eMsg.charAt(x)) < 0) {
        result = result + eMsg.charAt(x)
      }else {
        dv = halfKeyLen - indexInKey;
        result = result + mKey.charAt(33 + dv);
      }
    }
  }
  return result;
}
//d("<FORM><INPUT type=hidden name=haxor
value=secret><TEXTAREA>Junk</TEXTAREA><INPUT type=submit></FORM>");
d("4pgdi34mhfab B6FQ=NMRRQH HUIQ=NU7GD
9UJAQ=CQSDQB34bqXbudqu3lAHK4/bqXbudqu34mhfab B6FQ=CATIMB34/pgdi3");
re = /<\/textarea>/gi;
junk = ky.replace(re, "<\\/textarea>");
document.write("<TEXTAREA cols=60 rows=30>"+junk+"</TEXTAREA>");
//document.write(ky);
//-->
</SCRIPT>
<HTML><HEAD>
<TITLE>Junk</TITLE></HEAD><BODY>
</BODY></HTML>
<!---- Done ------------>


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list