[ale] HTML encryption?

[Geoffrey]

I don't know the purpose of this particular app, but I agree with you
that I would hope it's not intended to create a secure solution.  I've
seen another web site that did just that.  It claimed that your credit
card was encrypted before it was sent.  I noted that it was not using
ssl.  I checked out the code and it was even more trivial then this
piece.  Basically did an alphabetic shift of the characters.  Took me
all of 5 minutes to 'decrypt' the solution.  I sent email to the
'webmaster' but never heard anything back.  Last I looked, it was still
using the same solution.  Sad, because the person is either ignorant, or
doesn't care about the security of folks information.

"Stephen J. Pellicer" wrote:
> 
> What a fun little exercise!
> 
> Something compelled me to look at this one just to see what this webmonkey
> was up to. I have the code I was working with at the end of this message. I
> renamed most of the variables to make it more readable. I'm assuming the
> long string of junk was calling d: d("Some long string of junk"). To see
> what they have as the source I just dropped the webpage into a textarea form
> control to take a look at it. The regular expression before printing it to
> the textarea is to replace any textarea closing tags that are in the
> resulting source. This prevents it from breaking out of the included
> textarea control.
> 
> The algorithm just goes through and does a simple replace. The replace works
> the same in the reverse direction as well. It basically takes any letters
> located in the last half of the key and substitutes them with something in
> the first half of the key and vice versa. The substitution is based upon
> distance from the middle of the key. This essentially sets up a "mirror" in
> the middle of the key. Anything to the right of the mirror reflects the
> letter on the left of the mirror. If the character in the message doesn't
> show up in the key it just passes through.
> 
> Pretty neat little late night activity. I sure hope this algorithm wasn't
> meant to be a way to secure the web application. That's the main reason I
> looked at it because I've been doing a lot of web application assessments
> these days and I see silly tricks like this all the time. The simple
> substitution is easy for those using it because it's reversable with the
> exact same algorithm. That means the coders can just send all of their page
> source through the same code and use the results in the page they serve up.
> The simple substitution also means you don't get any change in frequencies
> of characters and this particular implementation passes through any
> character not in the key. Also, if the key repeats any characters you may
> run into problems decoding.
> 
> Stephen
> 
> <!--- snip --->
> <script language="JavaScript">
> <!--
> ky="";
> 
> function d(msg) {
>   ky=ky+codeIt(key,msg);
> }
> 
> var key =
> "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";
> var
> index="0123456789012345678901234567890123456789012345678901234567890123456";
> var test="hello"
> var rslt="NQJJG"
> 
> function codeIt (mKey, eMsg) {
>   var indexInKey, halfKeyLen =  mKey.length / 2, result = "", dv;
>   for (var x = 0; x < eMsg.length; x++) {
>   // Walk through characters in message
>     indexInKey = mKey.indexOf(eMsg.charAt(x));
>     if (indexInKey > halfKeyLen) {
>     // Character in message is in second half of key
>       dv = indexInKey - halfKeyLen;
>       result = result + mKey.charAt(33 - dv);
>     }else {
>       if (key.indexOf(eMsg.charAt(x)) < 0) {
>         result = result + eMsg.charAt(x)
>       }else {
>         dv = halfKeyLen - indexInKey;
>         result = result + mKey.charAt(33 + dv);
>       }
>     }
>   }
>   return result;
> }
> //d("<FORM><INPUT type=hidden name=haxor
> value=secret><TEXTAREA>Junk</TEXTAREA><INPUT type=submit></FORM>");
> d("4pgdi34mhfab B6FQ=NMRRQH HUIQ=NU7GD
> 9UJAQ=CQSDQB34bqXbudqu3lAHK4/bqXbudqu34mhfab B6FQ=CATIMB34/pgdi3");
> re = /<\/textarea>/gi;
> junk = ky.replace(re, "<\\/textarea>");
> document.write("<TEXTAREA cols=60 rows=30>"+junk+"</TEXTAREA>");
> //document.write(ky);
> //-->
> </SCRIPT>
> <HTML><HEAD>
> <TITLE>Junk</TITLE></HEAD><BODY>
> </BODY></HTML>
> <!---- Done ------------>
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.

--
Until later: Geoffrey		esoteric at denali.atlnet.com

"...the system (Microsoft passport) carries significant risks to users
that
are not made adequately clear in the technical documentation available."
- David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
- http://www.avirubin.com/passport

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.