[ale] HTML encryption?

Denny Chambers dchambers at snapserver.com
Wed Oct 31 09:32:21 EST 2001


Could this be used to trick out spying systems like ECHELON, who search
for key word phases in every transmission, or are these spying systems
more sophisticated than that?

Denny

Geoffrey wrote:
> 
> I don't know the purpose of this particular app, but I agree with you
> that I would hope it's not intended to create a secure solution.  I've
> seen another web site that did just that.  It claimed that your credit
> card was encrypted before it was sent.  I noted that it was not using
> ssl.  I checked out the code and it was even more trivial then this
> piece.  Basically did an alphabetic shift of the characters.  Took me
> all of 5 minutes to 'decrypt' the solution.  I sent email to the
> 'webmaster' but never heard anything back.  Last I looked, it was still
> using the same solution.  Sad, because the person is either ignorant, or
> doesn't care about the security of folks information.
> 
> "Stephen J. Pellicer" wrote:
> >
> > What a fun little exercise!
> >
> > Something compelled me to look at this one just to see what this webmonkey
> > was up to. I have the code I was working with at the end of this message. I
> > renamed most of the variables to make it more readable. I'm assuming the
> > long string of junk was calling d: d("Some long string of junk"). To see
> > what they have as the source I just dropped the webpage into a textarea form
> > control to take a look at it. The regular expression before printing it to
> > the textarea is to replace any textarea closing tags that are in the
> > resulting source. This prevents it from breaking out of the included
> > textarea control.
> >
> > The algorithm just goes through and does a simple replace. The replace works
> > the same in the reverse direction as well. It basically takes any letters
> > located in the last half of the key and substitutes them with something in
> > the first half of the key and vice versa. The substitution is based upon
> > distance from the middle of the key. This essentially sets up a "mirror" in
> > the middle of the key. Anything to the right of the mirror reflects the
> > letter on the left of the mirror. If the character in the message doesn't
> > show up in the key it just passes through.
> >
> > Pretty neat little late night activity. I sure hope this algorithm wasn't
> > meant to be a way to secure the web application. That's the main reason I
> > looked at it because I've been doing a lot of web application assessments
> > these days and I see silly tricks like this all the time. The simple
> > substitution is easy for those using it because it's reversable with the
> > exact same algorithm. That means the coders can just send all of their page
> > source through the same code and use the results in the page they serve up.
> > The simple substitution also means you don't get any change in frequencies
> > of characters and this particular implementation passes through any
> > character not in the key. Also, if the key repeats any characters you may
> > run into problems decoding.
> >
> > Stephen
> >
> > <!--- snip --->
> > <script language="JavaScript">
> > <!--
> > ky="";
> >
> > function d(msg) {
> >   ky=ky+codeIt(key,msg);
> > }
> >
> > var key =
> > "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz<>]#\"";
> > var
> > index="0123456789012345678901234567890123456789012345678901234567890123456";
> > var test="hello"
> > var rslt="NQJJG"
> >
> > function codeIt (mKey, eMsg) {
> >   var indexInKey, halfKeyLen =  mKey.length / 2, result = "", dv;
> >   for (var x = 0; x < eMsg.length; x++) {
> >   // Walk through characters in message
> >     indexInKey = mKey.indexOf(eMsg.charAt(x));
> >     if (indexInKey > halfKeyLen) {
> >     // Character in message is in second half of key
> >       dv = indexInKey - halfKeyLen;
> >       result = result + mKey.charAt(33 - dv);
> >     }else {
> >       if (key.indexOf(eMsg.charAt(x)) < 0) {
> >         result = result + eMsg.charAt(x)
> >       }else {
> >         dv = halfKeyLen - indexInKey;
> >         result = result + mKey.charAt(33 + dv);
> >       }
> >     }
> >   }
> >   return result;
> > }
> > //d("<FORM><INPUT type=hidden name=haxor
> > value=secret><TEXTAREA>Junk</TEXTAREA><INPUT type=submit></FORM>");
> > d("4pgdi34mhfab B6FQ=NMRRQH HUIQ=NU7GD
> > 9UJAQ=CQSDQB34bqXbudqu3lAHK4/bqXbudqu34mhfab B6FQ=CATIMB34/pgdi3");
> > re = /<\/textarea>/gi;
> > junk = ky.replace(re, "<\\/textarea>");
> > document.write("<TEXTAREA cols=60 rows=30>"+junk+"</TEXTAREA>");
> > //document.write(ky);
> > //-->
> > </SCRIPT>
> > <HTML><HEAD>
> > <TITLE>Junk</TITLE></HEAD><BODY>
> > </BODY></HTML>
> > <!---- Done ------------>
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > sent to listmaster at ale dot org.
> 
> --
> Until later: Geoffrey           esoteric at denali.atlnet.com
> 
> "...the system (Microsoft passport) carries significant risks to users
> that
> are not made adequately clear in the technical documentation available."
> - David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
> - http://www.avirubin.com/passport
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list