Recursive javascript security



  • Check out this page.



    These guys don't want you to see how they made thier awesome HTML codes work so you cannot right click.

    If you happen to get through thier first line of defence, fear not they have a contingency for that! Darn! That the source code is not available.

    Now for you uber 1337 hackers out there who manage to hack your way past security measure number 2, you will NEVER get passed their 1337 obfuscation algorithm designed to hide thier first line of defence so you cannot discover how to defeat it.

    See how far you can "hack" this site!

     

     



  •  And, of course, the wonderful comment in their source code:

    <!-- CHANGE THE ABOVE THREE LINES -->

     



  •                 <center><center><center><center><center><center><center><center>
    <center><center>
    <p align="left">

     

    ...used repeatedly throughout the page, especially later on. In the last 1/8 of the source (as measured by scrollbar), they do this between every paragraph. There is one forest of 10 </center>'s, but that comes right before the real <center>ing starts. Whoever (or whatever) wrote this page is FREAKING INSANE.

    The obfuscated script also breaks middle-click by detecting right-clicks with "event.button>1".


  • Considered Harmful

    One of the funniest and WTFy things I've seen in HTML is: <center align="left">.



  • I loved this.  I showed my 'uber skillz' to my wife, showing her the ridiculousness of these kinds of websites.  When I went to 'view source', she saw the "Source code not available" and immediately noticed how tiny the scroll bar looked, and asked me to scrolll down.  If this website can't fool my wife, who has no html and programming experience, who did it fool to convince someone that this would be useful? 



  • Note the navigation that fails to work if JavaScript is off.

    And by the way, I never actually right-click to view source.  All the cool kids use Ctrl+U.



  • @joe.edwards said:

    One of the funniest and WTFy things I've seen in HTML is: <center align="left">.

    At least that doesn't work, at least on firefox (it still centers), but you peaked my curiosity... <center style='text-align: left;'> works (And I use works very loosely here...).



  • Then they escaped some code, making it virtually indecipherable (LOL); unless, of course, you have to deal with this sort of thing on a daily basis & you've written a handy utility:



  • @joemck said:

    The obfuscated script also breaks middle-click by detecting right-clicks with "event.button>1".

    Not on Opera - the script just doesn't work.

    OTOH Opera spontaneously (and consistently) breaks middle-click if you don't restart it often enough.



  • @KludgeQueen said:

    unless, of course, you have to deal with this sort of thing on a daily basis & you've written a handy utility
    You should add an option of running the output through a code beautifier / indenter.

    As for the <center> non-sense:

    <meta name="GENERATOR" content="Microsoft FrontPage 5.0">

    And does think it's better to use those arrows to scroll the page instead of using the scrollbar or the mouse wheel?



  • @ShaggyB said:

    Check out this page.





    Aaah, you're making us scroll down! That is a lesson well learned from the last thread about JS obfuscation.

    @ShaggyB said:

    These guys don't want you to see how they made thier awesome HTML codes work so you cannot right click.

    Funny how the left sidebar isn't word-wrapped at all. Why do people who hide source always have shitty web templates that no one wants to steal?

    :right click: "You may not right click mouse this page" :click OK: :context menu springs right up:

    Never fails to amuse me.

    :ctrl+S: Works fine! :ctrl+U: Works fine!

    Scroll down! Scroll down! (Like we learned in the last thread)

    Too bad I don't have Firefox Web Developer toolbar installed on this computer or I'd grab the generated source in no time at all...



  • @WWWWolf said:

    Too bad I don't have Firefox Web Developer toolbar installed on this computer or I'd grab the generated source in no time at all...
     

    I'm glad that Firebug now has a view source option as well, because Pederick's webdev toolbar's view source stopped's working in FFX3 (known issue).

     

    I'm curious where the recursion is, by the way.



  • @Vempele said:

    OTOH Opera spontaneously (and consistently) breaks middle-click if you don't restart it often enough.
    What's "often enough"? This instance of Opera has been running since 15:18:32 11.6.2008 (according to Process Explorer), and I have no problems with middle click scrolling (this reminds me, I should probably upgrade to 9.51 - I skipped on 9.50 final as it is).



  • @ender said:

    @Vempele said:
    OTOH Opera spontaneously (and consistently) breaks middle-click if you don't restart it often enough.
    What's "often enough"? This instance of Opera has been running since 15:18:32 11.6.2008 (according to Process Explorer), and I have no problems with middle click scrolling (this reminds me, I should probably upgrade to 9.51 - I skipped on 9.50 final as it is).

    9.5 (and 9.51) have been kind of touchy, it seems. I think they have some minor stability issues to work out. On the other hand, I love the improvements. On the first hand, they changed all the keyboard shotcuts! Argh!



  •  Guys, it's perfectly understandable that they don't want anybody stealing the code they've worked so hard on....

    //Page Scroller (aka custom scrollbar)- By Dynamic Drive
    //For full source code and more DHTML scripts, visit http://www.dynamicdrive.com
    //This credit MUST stay intact for use

    At least they kept the credits around for (nobody) to see.

     



  •  404 Recursivity Not Found

     

    The title of this post is TRWTF.



  • Umm.... so this is their uber-sensitive, top secret code they tried so depsparately hard to hide from us? WTF?

    The only code they're hiding is the code to prevent right-clicking, in an effort to hide their code. So that's why this is "recursive" security. :P

     

    <SCRIPT type="text/javascript">
    <!--
        am="You may not right click mouse this page";
        bV=parseInt(navigator.appVersion);
        bNS=navigator.appName=="Netscape";
        bIE=navigator.appName=="Microsoft Internet Explorer";

        function nrc(e)
        {
            if(bNS && e.which>1)
            {
                alert(am);
                return false
            }
            else
            if(bIE && (event.button>1))
            {
                alert(am);
                return false
            }
        }

        document.onmousedown=nrc;

        if(document.layers)
            window.captureEvents(Event.MOUSEDOWN);

        if(bNS && bV<5)
            window.onmousedown=nrc;

        function one()
        {
            return true
        }

        onerror=one;

    //--></SCRIPT>



  • Dudes have apparently never heard of wget.  Geez.  Do they think "View Source" is the only way to get to the source for a page?

     


  • BINNED

    @WWWWolf said:

    Funny how the left sidebar isn't word-wrapped at all. Why do people who hide source always have shitty web templates that no one wants to steal?

    Another thing: Look at those strange scroll buttons.

    One of them is simply a rotated version of the other so the drop shadows don't match. And neither of them looks right! A drop shadow on the bottom right would probably look ok.

    Who would steal such crap?



  • @KludgeQueen said:

    Unless, of course, you have to deal with this sort of thing on a daily basis & you've written a handy utility

     

    You just scared me...



  • @Volmarias said:

    @ender said:
    @Vempele said:
    OTOH Opera spontaneously (and consistently) breaks middle-click if you don't restart it often enough.
    What's "often enough"? This instance of Opera has been running since 15:18:32 11.6.2008 (according to Process Explorer), and I have no problems with middle click scrolling (this reminds me, I should probably upgrade to 9.51 - I skipped on 9.50 final as it is).

    9.5 (and 9.51) have been kind of touchy, it seems. I think they have some minor stability issues to work out. On the other hand, I love the improvements. On the first hand, they changed all the keyboard shotcuts! Argh!

    Agreed. Who though it would be a good idea to change the "find next" shortcut? I thought everyone got together and decided on F3 ages ago.



  • The right-click blocker seems to do absolutely nothing in Firefox...

     



  • @u2892 said:

    The right-click blocker seems to do absolutely nothing in Firefox...

    Firefox has an option to keep the context menu intact, but that dosen't stop the alert form appearing.  However, some web applications (*cough* Google Docs */cough*) require you to disable this option in order to use the custom context menus.  If that option's off, the context menu dosen't show.



  •  @KludgeQueen said:

    Then they escaped some code, making it virtually indecipherable (LOL); unless, of course, you have to deal with this sort of thing on a daily basis & you've written a handy utility:

    WScript.echo(unescape("...")); is a lot easier



  • @seconddevil said:

     @KludgeQueen said:

    Then they escaped some code, making it virtually indecipherable (LOL); unless, of course, you have to deal with this sort of thing on a daily basis & you've written a handy utility:

    WScript.echo(unescape("...")); is a lot easier

     

    <samp>javascript:alert(unescape("...")); void 0;</samp> is even easier then that.



  • Also, the page generates errors way too often and makes it go slow.



  •  @mrprogguy said:

    Dudes have apparently never heard of wget.  Geez.  Do they think "View Source" is the only way to get to the source for a page?

     

    I have been asked so many times to do this kind of stuff, that I have a template text answer that I email my customers when they ask for this paranoid stupid right click shit. Usually they just want to protect their images, but don't like watermarks, or they don't want their "design" (that will be the css) stolen. 

    The text basically says that whatever crap we can attempt, it's just not going to work and it's not worth the effort. Still they are willing to pay because they feel their content is more secure, even if only the average IE user can't get their content. 

    Most of the times I just slap a oncontextmenu="return false" and when they don't get the right clic menu then they are happy. 

    Of course there are the more paranoid type who know too much for their own good and ask me to to encrypt their javascript, php code, database, etc..
    After a lesson* learned the hard way a long time ago, I tell this kind of paranoids to get someone else. 

    *Lesson: About 6 years ago a crazy client actually sued me over a 1000€ site, because he could still find the images files on his temp folder.

     



  • @fatdog said:

     @mrprogguy said:

    Dudes have apparently never heard of wget.  Geez.  Do they think "View Source" is the only way to get to the source for a page?

     

    I have been asked so many times to do this kind of stuff, that I have a template text answer that I email my customers when they ask for this paranoid stupid right click shit. Usually they just want to protect their images, but don't like watermarks, or they don't want their "design" (that will be the css) stolen. 

    The text basically says that whatever crap we can attempt, it's just not going to work and it's not worth the effort. Still they are willing to pay because they feel their content is more secure, even if only the average IE user can't get their content. 

    Most of the times I just slap a oncontextmenu="return false" and when they don't get the right clic menu then they are happy. 

    I've been always annoyed by those "right-click" disablers. But the worst javascript "security" I've seen was a friend's page, which had a "extreme pics" section. Trying to enter this would ask you for a username/password combination... which was validated against JavaScript.

    Sure enough, I proceeded to "View Source" and found something like this:

    if (username == "monkey" && password == "toratoratora")

          ......

    The actual "secure" page also had a right-click disabler ... which for some reason, my Netscape Communicator 4.01 Linux browser seemed to ignore, so I also was able to download the pics. My friend, by the way, didn't want to give me the URL because he was afraid I might "hack" his page! I still wonder why so many people thought that doing "Javascript password validation" thought that was a good idea.



  • @Zecc said:

    @KludgeQueen said:

    unless, of course, you have to deal with this sort of thing on a daily basis & you've written a handy utility
    You should add an option of running the output through a code beautifier / indenter.

    Why bother? Nothing could make this code look beautiful.


Log in to reply