The Ultra-Secure and Obscure JavaScript Login Page



  • Winova Van Norman is some sort of hardware or construction company.   Their "About Us" reads "Since 1888, the company has designed and manufactured machining
    equipment and continues to innovate new solutions. A full range of
    equipment includes machinery for motorcycles, small engines,
    automobile, diesel, marine and high performance engine rebuilding."

    Okay, so at least they don't pretend to be an "Internet Security Consulting" firm.  But they did go through the trouble of putting up some attempt at a secure login page; you have to be a registered user in order to see their online brochures for some reason.

     Looking at the source of their homepage, there's not anything that immediately jumps out in terms of security flaws. Until you see the JavaScript function that's called when you submit the login form. It calls a function called Login();  If you want to see what this function does, you have to open the lone JavaScript include, located at /work.js.  Here, you'll see the awesomeness that is the Login() function.

    function Login(){
    var done=0;
    var username=document.login.username.value;
    username=username.toLowerCase();
    var password=document.login.password.value;
    password=password.toLowerCase();

    It starts out with a couple wtfs to begin with: your username and password must be in lowercase. Okay, fine. But that's when things get AWESOME. After that, there are dozens of lines like this:

     if (username=="someusername" && password=="wtf") { window.location="brochures.html"; done=1; }

    Over and over, the username and passwords are listed right there in plaintext. But then you realize very quickly that this is completely useless, since you can just change the URL in the browser to /brochures.html, and you're there without any authentication check.

    Now, I understand that there isn't really a huge need for security on this site to begin with, but that doesn't change the fact that there are dozens and dozens of username and password combinations just hanging out there. Hopefully the people that have registered created unique combinations for this site. Who knows?

    But yes, there's the big Saturday WTF.



  • @adamb said:

    Now, I understand that there isn't really a huge need for security on this site to begin with, but that doesn't change the fact that there are dozens and dozens of username and password combinations just hanging out there.

    Not that it makes the passwords any less secure than they were in the first place.



  • password=="123"

    password=="wordpass"

    password=="123456"

    password=="login"

    Can't say I've never seen them before. Wondering what kind of guys "fathead", "sexbomb", "badboy" and "stinkyfarms" are. The maintainer seems to use the passwords "login" and "site". Exemplary.



  • And they seem to come from http://javascript.internet.com/passwords/multiple-users.html.  The parent page claims they "do a good job", heh.



  •  They fixed it.

    The home page now says

     

    Login has been disabled.

       
       
    Click here to view our brochures.

    and the link takes you straight to the brochures page.  Works.js has gone 404.

     



  • @DaveK said:

     They fixed it.

    The home page now says

     

    Login has been disabled.

       
       
    Click here to view our brochures.

    and the link takes you straight to the brochures page.  Works.js has gone 404.

     

    indeed. oh well, that was funny.


  • @Steeldragon said:

    @DaveK said:

     They fixed it.

    The home page now says

     

    Login has been disabled.

       
       
    Click here to view our brochures.

    and the link takes you straight to the brochures page.  Works.js has gone 404.

     

    indeed. oh well, that was funny.
    Still got a copy of works.js in your browser cache?  Post it here if ya do...


  • @adamb said:

    you have to be a registered user in order to see their online brochures for some reason.
    Thats standard marketing-droid operating procedure. I can't count how many times I've heard the words "Vicki wants," "limit access," and "name, address, phone and e-mail"in the same sentence. Thankfully, we only use the information to market our own products and so she can brag to the company "Google visited our site!!"



  • Here is a ultra secure login with Javascript. I give it an A+ for complexity. The vendor does not use SSL to encrypt the authentication process. 

     

    function coverPass(thePass,theName) {
    thePass += theName; // concat the password and name to get more unique

    var a = 0x67452301;
    var b = 0xEFCDAB89;
    var c = 0x98BADCFE;
    var d = 0x10325476;
    var e = 0xC3D2E1F0;
    var w = new Array(80);
    var nblk = ((thePass.length + 😎 >> 6) + 1;
    var x = new Array(nblk * 16);
    var i = 0;
    var j = 0;

    for(i=0; i<(nblk * 16); i++) {
    x[i] = 0;
    }
    for(i=0; i<thePass.length; i++) {
    x[i >> 2] |= thePass.charCodeAt(i) << (24 - (i % 4) * 8);
    }
    x[i >> 2] |= 0x80 << (24 - (i % 4) * 8);
    x[nblk * 16 - 1] = thePass.length * 8;

    for(i = 0; i < x.length; i += 16) {
    oldA = a;
    oldB = b;
    oldC = c;
    oldD = d;
    oldE = e;

    for(j = 0; j < 80; j++) {
    if(j < 16) w[j] = x[i + j];
    else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
    t = sum32(sum32(rol(a, 5), ft(j, b, c, d)), sum32(sum32(e, w[j]), kt(j)));
    e = d;
    d = c;
    c = rol(b, 30);
    b = a;
    a = t;
    }

    a = sum32(a, oldA);
    b = sum32(b, oldB);
    c = sum32(c, oldC);
    d = sum32(d, oldD);
    e = sum32(e, oldE);
    }
    return numToHex(a) + numToHex(b) + numToHex(c) + numToHex(d) + numToHex(e);
    }

    function numToHex(num) { // convert to a hex string
    hexStr = "";
    for(var i=7; i>=0; i--) {
    hexStr += "0123456789abcdef".charAt((num >> (i * 4)) & 0x0F);
    }
    return hexStr;
    }

    function ft(t, b, c, d) {
    if(t < 20) return (b & c) | ((~b) & d);
    if(t < 40) return b ^ c ^ d;
    if(t < 60) return (b & c) | (b & d) | (c & d);
    return(b ^ c ^ d);
    }

    function kt(t) {
    if(t < 20) {
    return(0x5A827999);
    }
    if(t < 40) {
    return(0x6ED9EBA1);
    }
    if(t < 60) {
    return(0x8F1BBCDC);
    }
    return(0xCA62C1D6);
    }

    function sum32(x, y) {
    return ((x&0x7FFFFFFF) + (y&0x7FFFFFFF)) ^ (x&0x80000000) ^ (y&0x80000000);
    }

    function rol(theNum, cnt) {
    return (theNum << cnt) | (theNum >>> (32 - cnt));
    }

    function cover() {
    if ((document.UserForm.adminName.value.length == 0) ||
    (document.UserForm.adminName.value.search(/\S/) < 0)) {
    return(false);
    }
    if (document.UserForm.domainName.value.length > 0) {
    parent.leftFrame.document.tempStore = document.UserForm.pass.value;
    domadmName = document.UserForm.domainName.value+"/"+document.UserForm.adminName.value;
    domadmName = domadmName.toLowerCase();
    document.UserForm.loginState.value = 1;
    } else {
    try {
    parent.leftFrame.document.tempStore = "";
    }
    catch(err) { }
    domadmName = document.UserForm.adminName.value;
    }
    tempVal = coverPass(document.UserForm.pass.value,domadmName);
    document.UserForm.hashPass.value = coverPass(tempVal,document.UserForm.challengeVal.value);
    document.UserForm.pass.value = "";
    document.UserForm.LoginButton.value="Logon";
    return(true);
    }
    function filterKeys(theEvent) {
    if (theEvent.keyCode == 13) {
    clickLogin();
    return(false);
    }
    return(true);
    }
    function clickLogin() {
    if (cover()) {
    document.UserForm.submit();
    }
    }
    </script>
    <script language="javascript">

    urlOK = false;
    if (parent) {
    topurl = String(parent.document.location.href).toLowerCase();
    if ((topurl.indexOf("/access/accessroot.asp") > 0)||(String(topurl) == String(document.location.href)))
    urlOK = true;
    } else urlOK = true;
    if (urlOK == false) top.location = "accessRoot.asp?"+Math.random();
    function forgotPassword() {
    if (document.UserForm.adminName.value.length == 0) {
    alert("Enter your username and we will email you a new password.");
    } else {
    document.UserForm.forgot.value = document.UserForm.adminName.value;
    document.UserForm.submit();
    }
    }
    function checkCookie() {
    document.UserForm.cookieFlag.value = "true";
    }
    document.UserForm.adminName.focus();document.UserForm.adminName.select();




  • @OSvsOS said:

    Here is a ultra secure login with Javascript. I give it an A+ for complexity. The vendor does not use SSL to encrypt the authentication process. 

     

      var a = 0x67452301;
    var b = 0xEFCDAB89;
    var c = 0x98BADCFE;
    var d = 0x10325476;
    var e = 0xC3D2E1F0;

    That IS, however, some kind of brain-fucked attempt at an implementation of SHA-1.  Good on them, they must have heard of security.  Somewhere.

    @OSvsOS said:

    The vendor does not use SSL
    to encrypt the authentication process. 

    @OSvsOS said:

        tempVal = coverPass(document.UserForm.pass.value,domadmName);
    document.UserForm.hashPass.value = coverPass(tempVal,document.UserForm.challengeVal.value);
    document.UserForm.pass.value = "";
    document.UserForm.LoginButton.value="Logon";
    return(true);

      YARRRR!  CAP'N, THERE BE HASHES ON THE WIRE!  FULL SPEED AHEAD AND PREPARE FOR BOARDIN'!

     


  • Banned

    This post is deleted!

Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.