Solved

Userid/Passsword Validation

Posted on 1997-06-20
8
614 Views
Last Modified: 2008-02-26
What is wrong with the following script?


<HTML><HEAD>
<SCRIPT LANGUAGE="JavaScript">

<!-- Hide from JavaScript-Impaired Browsers
al="`1234567890-=~!@#$%^&*()_+qwer"
+"tyuiop[]QWERTYUIOP{}|asdfghjkl;A"
+"SDFGHJKL:zxcvbnm,./ZXCVBNM<>?";
ab1="";
bctr=0;
function ckPwd(){
 tst=document.isn.username.value
 +"*"+document.isn.passwrd.value+"*";
 ls=document.pd.value;
 a=eval(ls.substring(0,2))-91;
 ls=ls.substring(2,ls.length);
 nls="";
 flg=0;
 while (ls.length>12){
  ab=eval(ls.substring(0,2))-89;
ab1=(ab1==""?""+ab:ab1);
  oab1=ab1;                                
  ls=ls.substring(2,ls.length);    
  for (var i=0;i<ab;i++){          
   nr=eval(ls.substring(0,2))-a;
   ls=ls.substring(2,ls.length);
   nls+=al.charAt(nr);
   }            
  nls+="*";                    
  if (nls.indexOf(tst)>-1){          
   ls="";            
   flg=1;                    
   }                          
  }    
 if (flg==1){
  tstOk();            
  }      
  else{                    
  bctr++;                                  
  if (bctr>3){                    
   location.href="wrongpage.html";
   }                            
  else{                        
   alert("Sorry. Bad Username or Password."
   +" Failed Attempt #"+bctr+".");
   }                            
  }                                  
 }                    
                             
function tstOk(){            
 ab1=ab1+""+a;
  alert("OK. You Entered a Valid Username and Password, "
  +document.isn.username.value+"! Taking you to the"
  +" restricted page as soon as you click OK.");
 location.href="rightpage.html"+ab1;
 }                                        
                                   
function srand() {                
 today=new Date();              
 rand=today.getTime();          
 picker=""+rand                            
 picker=picker.charAt((picker.length-4));
 rec=eval(picker);              
 }                                  
// End Hiding -->    
                             
</SCRIPT> </HEAD> <BODY BGCOLOR="black" text="grey""><CENTER>
<FORM NAME="pd">
<!-- IMPORTANT: After you run the pseudo-encrypter, you  
will get a "hidden" form element constructed especially for your own user
names and passwords. Paste that form element right below this note and
above the end of form tag. -->      
                           
</FORM>                            
                                   
<!-- You may put any page content you wish here
                               
The HTML below for the password entry is presently set for blue background and $
                                         
<FORM NAME="isn">              
<TABLE BORDER=2 CELLPADDING=5 CELLSPACING=0 BGCOLOR=BLUE>
<TR><TD COLSPAN=2 ALIGN=CENTER><FONT SIZE=4 COLOR=WHITE FACE="helvetica,arial,g$
<TR><TD><FONT SIZE=3 COLOR=GREY><B>Your User Name:</B></FONT></TD>
<TD><INPUT TYPE="text" NAME="username" VALUE="" SIZE=10></TD></TR>
<TR><TD><FONT SIZE=3 COLOR=grey<B>Your Password:</B></FONT></TD>
<TD><INPUT TYPE="password" NAME="passwrd" VALUE="" SIZE=10></TD></TR>
<TR>              
<TD COLSPAN=2 ALIGN=CENTER>                                          
<INPUT TYPE="button" NAME="btn" VALUE=" Submit " onClick="ckPwd();return false;$
</TABLE></FORM>                            
                                   
<b>To Recieve Access:</b><br>      
Username- John<br>                            
Password- 4$3gb%a              
<SCRIPT LANGUAGE="JavaScript">                                                  
                                         
<!-- Hide JavaScript from Java-Impaired Browsers
document.isn.username.focus();                                       // End Hiding -->
                                                                     
</SCRIPT>                                                                      
                                           
</BODY>                            
</HTML>          
0
Comment
Question by:npc101
  • 4
  • 3
8 Comments
 
LVL 1

Expert Comment

by:viro
ID: 1267374
Try this version:

                  <HTML><HEAD>
                  <SCRIPT LANGUAGE="JavaScript">

                  <!-- Hide from JavaScript-Impaired Browsers
                  al="`1234567890-=~!@#$%^&*()_+qwer"
                  +"tyuiop[]QWERTYUIOP{}|asdfghjkl;A"
                  +"SDFGHJKL:zxcvbnm,./ZXCVBNM<>?";
                  ab1="";
                  bctr=0;
                  function ckPwd(){
                   tst=document.isn.username.value
                   +"*"+document.isn.passwrd.value+"*";
                   ls=document.pd.value;
                   a=eval(ls.substring(0,2))-91;
                   ls=ls.substring(2,ls.length);
                   nls="";
                   flg=0;
                   while (ls.length>12){
                    ab=eval(ls.substring(0,2))-89;
                  ab1=(ab1==""?""+ab:ab1);
                    oab1=ab1;
                    ls=ls.substring(2,ls.length);
                    for (var i=0;i<ab;i++){
                     nr=eval(ls.substring(0,2))-a;
                     ls=ls.substring(2,ls.length);
                     nls+=al.charAt(nr);
                     }
                    nls+="*";
                    if (nls.indexOf(tst)>-1){
                     ls="";
                     flg=1;
                     }
                    }
                   if (flg==1){
                    tstOk();
                    }
                    else{
                    bctr++;
                    if (bctr>3){
                     location.href="wrongpage.html";
                     }
                    else{
                     alert("Sorry. Bad Username or Password."
                     +" Failed Attempt #"+bctr+".");
                     }
                    }
                   }
                     
                  function tstOk(){
                   ab1=ab1+""+a;
                    alert("OK. You Entered a Valid Username and Password, "
                    +document.isn.username.value+"! Taking you to the"
                    +" restricted page as soon as you click OK.");
                   location.href="rightpage.html"+ab1;
                   }
                     
                  function srand() {
                   today=new Date();
                   rand=today.getTime();
                   picker=""+rand
                   picker=picker.charAt((picker.length-4));
                   rec=eval(picker);
                   }
                  // End Hiding -->
                     
                  </SCRIPT>
</HEAD>
<BODY BGCOLOR="black" text="grey"">
<CENTER>
<FORM NAME="pd">
                  <!-- IMPORTANT: After you run the pseudo-encrypter, you
                  will get a "hidden" form element constructed especially for your own
                  user
                  names and passwords. Paste that form element right below this note and
                  above the end of form tag. -->
</FORM>
                     
                  <!-- You may put any page content you wish here
                     
                  The HTML below for the password entry is presently set for blue
                  background and $ -->
                     
<FORM NAME="isn">
<TABLE BORDER=2 CELLPADDING=5 CELLSPACING=0 BGCOLOR=BLUE>
<TR>
<TD COLSPAN=2 ALIGN=CENTER>
<FONT SIZE=4 COLOR=WHITE FACE="helvetica,arial">
</TD>
<TR>
<TD>
<FONT SIZE=3 COLOR=GREY>
<B>Your User Name:</B>
</FONT>
</TD>
<TD>
<INPUT TYPE="text" NAME="username" VALUE="" SIZE=10>
</TD>
<TR>
<TD>
<FONT SIZE=3 COLOR=grey<B>Your Password:</B></FONT>
</TD>
<TD>
<INPUT TYPE="password" NAME="passwrd" VALUE="" SIZE=10>
</TD>
<TR>
<TD COLSPAN=2 ALIGN=CENTER>
<INPUT TYPE="button" NAME="btn" VALUE=" Submit " onClick="ckPwd();return false;">
</TABLE>
</FORM>
                     
                  <b>To Recieve Access:</b><br>
                  Username- John<br>
                  Password- 4$3gb%a
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide JavaScript from Java-Impaired Browsers
  document.isn.username.focus();
// End Hiding -->
</SCRIPT>
</BODY>
</HTML>

Hope it's help!
0
 

Author Comment

by:npc101
ID: 1267375
Both versions give an "ls has no properties" error. What's wrong with it?
0
 
LVL 3

Accepted Solution

by:
garik earned 100 total points
ID: 1267376
You assign ls=document.pd.value - pd is a form, it doesn't have a value as far as I know. Then, apparently for testing, you combine username and password from isn form and assign it to tst - perhaps, that's what you want to use instead of document.pd.value? Although it still doesn't work because of eval() statements.
Anyway, if you could tell what you actually want from this script, I'd gladly help you.

Cheers
0
 

Author Comment

by:npc101
ID: 1267377
I want the script to limit access to a series of pages on my website by using a username-password system. The script must be secure so that it cannot be view from the login page, or it will be easy to crack.

Cheers.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 3

Expert Comment

by:garik
ID: 1267378
As far as I know, there is no way to protect you script from viewing - the most tricky solutions are easily bypassed by disbaling JavaScript in the browser to see ANY script - embedded or .js file.
The easiest way to setup an authentication without using server-side solutions is to use file names as passwords. F.ex., for multiple user accounts, you could have subdirectories named as username and an entry page named as password. For user "joe" with password "sixpack" correct URL is
username+"/"+password+".html" = "joe/sixpack.html"
Therefore, you users instead of 401's (Access denied) would get 404's (Not found) if they use wrong username/password combination. Directory listing (the only way to crack this system except for guessing) can be either prohibited on the server, or, if you don't have access to the server, by providing a proper index.html (or whatever your server requires).
BTW, why can't you use server's authentication facilities?
0
 
LVL 3

Expert Comment

by:garik
ID: 1267379
mistyped: ".. bypassed by disabling JavaScript in the browser.."

0
 

Author Comment

by:npc101
ID: 1267380
I don't use server authentication as the server I use doesn't use CGI (it's a pain, I know) so I can't.
0
 
LVL 3

Expert Comment

by:garik
ID: 1267381
Actually, I've meant basic HTTP authentication supported by some Web servers like Apache or NCSA - they use plain .htaccess/.htpasswd files to protect directories.

Newer servers usually have built-in authentication and maintain users database.

BTW, it's location.href in MSIE, but document.location in Netscape, so you have to check User Agent to do a redirection right:

navigator.userAgent.indexOf("MSIE") < 0 ?
      top.document.location="Home.html" :
      top.location.href="Home.html";
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Avoid defining the variables in the global scope; trying to define them in a local function scope. Because:   • Look-up is performed every time a variable is accessed.   • Variables are resolved backwards from most specific to least specific scope…
This article will give core knowledge of JavaScript and will head in to your first JavaScript program. I am Durvesh Naik and I am here to deal with this series of JavaScript. I will teach you JavaScript in part wise , as its quite boring to read big…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now