Password Protected Source



  • Check out the source code of this site. "mopedsonline.com" I cant tell if it is a joke or for real!

    Hint: Look at the first comment in the source code then scroll down a little bit.



  •  ROFL. Too bad, his awesome protection doesn't work on a fullscreen window on a 1920x1080 screen...



  • Who knows? Maybe something was supposed to appear between the <html> and <HEAD> tags, but we can't see it because we don't have the password.



  • Holy dice, MIDI at full volume! The copyright year must be generated automatically, because I don't believe no one in 11 years questioned this... this.



  •  Nope, it's even better. The copyright year is written by <include>ing http://www.mopedworld.com/copyrightyear.js. The contents of this file?

    document.write("1997-2008")



  • That's probably all the security precautions it'd take to deter the kind of hacker bored enough to try and take that site down.

    And what were you doing on a moped fansite anyway? I thought software engineers were all Rockers...



  •  After clicking around a bit, I found their order form http://mopedworld.com/partform.htm. It seems they abandoned the traditional shopping cart interface in favor of a "tell us what you want and we'll try to buy it for you" method.

    My favorite part of it is hidesource.js which seems to be designed for only IE6 and NS4

     

    Also, after submitting the order form, I was presented with this page.



  • @MiffTheFox said:

    My favorite part of it is hidesource.js which seems to be designed for only IE6 and NS4

     

     

    Nah, this legendary protection system also baffles IE7 users.

    The error reporting system of the order form is quite clever really - why have I been validating my input when I can get the user to do it for me?!



  • @MiffTheFox said:

    After clicking around a bit, I found their order form http://mopedworld.com/partform.htm.

    Also, looking at the source of the "web mistakes" form, it reveals this:

    [code]

    <form action="http://www.flynntechnology.com/mopedworld/procwebmistakesform.asp" method="post"> [/code]
    I have no idea how a "consulting" firm like that could get any customers...


  • @Buzer said:

    I have no idea how a "consulting" firm like that could get any customers...
     

    Their own site is a series of WTFs on it's own.

    From the main page:

    <!-- This script and many more are available free online at -->
    <!-- The JavaScript Source!! http://javascript.internet.com -->
    <!-- Original: Arun kumar (n_arunk@hotmail.com) -->
     

     I especially love this code:

    outputstring = "&copy;" + year + " Flynn Technology Consultants, LLC"
    document.write(outputstring)

    The WTF is that this is in the <head> section, where document.write-ing dosen't impact the page whatsoever.

    Also, by the looks of the comments in the code; the page was thrown together by an editor.

     

    Finally, I saw they had sample code available on their site.  I clicked, thinking that I'd find some WTFs, and I was greeted with an ASP error.

    I do not want to view the horrors of their client sites.



  • @MiffTheFox said:

    The WTF is that this is in the <head> section, where document.write-ing dosen't impact the page whatsoever.

    TRWTF is that Firefox (used to) display images from <img> tags within <head> at the top of the page.



  • @tc386 said:

    Check out the source code of this site. "mopedsonline.com" I cant tell if it is a joke or for real!

    Hint: Look at the first comment in the source code then scroll down a little bit.


    some time ago, a fellow student asked me if you can password protect source code. he saw it in a "hacker challenge site" (you know, one of those websites that use javascript for "decoding" passwords and you have to understand the source to get the link for the next level) and he did not know how to bypass it. He sent me the link and I asked him why he did not just scroll down.

    So, it seems there are really people that can be fooled by measures like that. And that guy knew a lot about javascript, this was level 7 or 8 of the challenge...



  • @mihi said:

    So, it seems there are really people that can be fooled by measures like that. And that guy knew a lot about javascript, this was level 7 or 8 of the challenge...

    Well, I guess it's a case of hiding in plain sight. If I ever branch out into web design, I think I'm going to use this in my own code...



  • @MiffTheFox said:

     I especially love this code:

    outputstring = "&copy;" + year + " Flynn Technology Consultants, LLC"
    document.write(outputstring)

    The WTF is that this is in the <head> section, where document.write-ing doesn't impact the page whatsoever.

    Also, by the looks of the comments in the code; the page was thrown together by an editor.

    It is called from the body, it is simply declared there. This is, or at least was, perfectly normal coding practice for JavaScript.

    Of course, using this is somewhat deceitful, but this sort of trick seems fairly common



  • @Jake Grey said:

    And what were you doing on a moped fansite anyway? I thought software engineers were all Rockers...
     

    OK, here's a crap site for a company that sells proper bikes that don't have the engine attached to the unsuspended mass.  While I applaud the use of frames, I deplore the loss of the backward-scrolling marquee they used to have. 



  •  @Physics Phil said:

    It is called from the body, it is simply declared there. This is, or at least was, perfectly normal coding practice for JavaScript.

    Of course, using this is somewhat deceitful, but this sort of trick seems fairly common

    No, this was the full code:

    <script language="JavaScript" type="text/javascript">
    <!--

    function getCopyRight(){
    var dNow = new Date()
    var year = dNow.getFullYear();
    var outputstring;
    outputstring = "&copy;" + year + " Flynn Technology Consultants, LLC"
    document.write(outputstring)
    }
    //-->
    </script>


  •  @MiffTheFox said:

    No, this was the full code:

    <script language="JavaScript" type="text/javascript">
    ...
    </script>

     

    Oops did that go through?

    I noticed the mistake just as I hit Post and tried to stop it before it went through.



  •  So, what's the password?



  • @Jake Grey said:

    @mihi said:

    So, it seems there are really people that can be fooled by measures like that. And that guy knew a lot about javascript, this was level 7 or 8 of the challenge...

    Well, I guess it's a case of hiding in plain sight. If I ever branch out into web design, I think I'm going to use this in my own code...

    See also: Expert Sex Change, I mean Experts Exchange...


  • I suppose this method of source code protection can be called "idiot-proof" in a very real sense.



  •  Being in the moped (two wheels, 50cc engine and *pedals*) I understand why you would have to give up a regular shopping cart in favor of "try to tell us what you need."

     

    There are only a few brands out there who give any sort of part manuals or service manuals.  For those companies, I have the interactive parts catalogue on my site and you can browse and buy right from there.

    For MOST bikes, however, not only is there no documentation or references, there is no regularity either.  What coil is used on this bike?  Whatever coil was cheapest when THAT particular bike was made.  Within the same year they can switch out dozens of major pieces, none of them interchangeable and none of them having part numbers, etc.

    Most of the time I ask people to take pictures and email them to me.  Oft times we can recogonize what it is, or at least tell you if we've seen one before.  If we haven't, you're screwed.

    Not that that excuses that website -- but it does defend the business model.



  • @TheRider said:

     So, what's the password?

    I'd go for "Access Denied".

    What cracked me up is the hidesource.js "script"...

    var message="Sorry, this website contains a foreign code which cannot be viewed with this web browser";

    Security by obscurity? Instead of telling you outright "Right-click" disabled, it tells you about a "foreign code" that cannot be viewed!

    Anyway, I hate those right-click disablers. Oh, and even in IE6, using the "right-click" keyboard button bypasses this "security".



  • @tc386 said:

    Check out the source code of this site. "mopedsonline.com" I cant tell if it is a joke or for real!

     

     

    Gosh. It looks like it was done in 1994 and never updated since.

    The subtitle in Star Wars font is especially ugly. 



  • @mihi said:

    So, it seems there are really people that can be fooled by measures like that. And that guy knew a lot about javascript, this was level 7 or 8 of the challenge...

    I wouldn't assume he knows javascript.  I mean you just got him to level 8 or 9.  I bet he only gets to maybe 12 because then he runs out of friends to ask.



  •  wow... very geocities-esque.

    And I thought my site was bad. :/


Log in to reply