Easy Brute-Force Web Password Cracking with HTML Applications

Posted 2008-06-17 in JavaScript by Johann.

Here’s something I did a year ago to help a friend who had forgotten a password.

I wrote an HTML Application (HTA) that would brute-force crack the login form on a website. This particular website used a four-digit number as a password.

HTML Applications

HTML Applications are a long-forgotten (?) technology introduced with Microsoft Internet Explorer 5 on Windows. An HTML Application is a web page whose code runs without security restrictions and can for example use all ActiveX controls available on the system. Of course, the same origin policy is disabled, too.

Automating web pages

Since the same origin policy that would prohibit cross-domain communication is disabled, my crack tried out all number combinations by filling out the login form and submitting it until a certain text was not present on the page.

Example Code

Download a demo HTML application.

It should work on Microsoft Windows in Internet Explorer 5 and greater. And no, despite the name, it does not do anything nasty.

If you look into the source, you’ll notice that there is not much of it. All I do is

  1. loading a web page in an IFrame,
  2. binding a JavaScript event handler to the onload event and
  3. accessing the DOM of the remote web page to submit a form or to look at the innerHTML property.

Bonus information

I thought that HTML Applications would make for a very interesting concept for content scrapers. If you would like to find out whether your website is framed in an HTML application, you can access the document.body.clientWidth property. If your web page is contained in an HTML Application, this property is 0.

5 comments

Decompress JavaScript compressed by /packer/ and other Compressors

Posted 2008-06-09 in JavaScript by Johann.

JavaScript code is frequently compressed. This is done to

It is often helpful to be able to uncompress JavaScript again. You could want to regain access to compressed code where the original code does no longer exist or you might want to understand what vulnerabilities crackers are exploiting.

JavaScript compressors

All JavaScript packers consist of two parts:

  1. A decompressor that uncompresses and loads the original JavaScript.
  2. A data segment that contains the compressed JavaScript code.

Dynamic JavaScript

JavaScript can be loaded dynamically using the following methods:

  1. eval. The eval function evaluates a string argument that contains JavaScript.
  2. Writing a new <script> element to the page using document.write.
  3. new Function(string). The Function constructor can be used to evaluate JavaScript code, in a similar way to eval.

In most packers, eval is used, followed by document.write.

Decompressing

To decompress JavaScript, simply replace the methods described above by one of the following:

  1. alert. The alert will simply print the code in a popup-window.
  2. If the JavaScript appears after the <body> element, you can add a <textarea> like so:
    <textarea id="code"></textarea>
    Then, replace eval(…); by document.getElementById("code").value=…;.

/packer/

A typical JavaScript compressed with /packer/ starts with the following code:

eval(function(p,a,c,k,e,r)…

eval can simply be replaced by alert.

JavaScript Utility

The JavaScript Utility decompressor/loader code looks like this:

eval((function(s){var a,c,e,i,j,o=""…

Again, eval can be replaced.

PSA

PSA by JSIntegration is another packer. It also uses the eval function which can be replaced by one of the methods described above.

eval(function(E,I,A,D,J,K,L,H)…

A Malware example

I found this code on a Ukrainian site that serves malware through Internet Explorer exploits.

function WKOOOz34(OrPv){… document.write(PWS);}WKOOOz34(unescape('…

Here, <textarea id="code"></textarea> can be added to the page and the document.write(PWS) be replaced by document.getElementById("code").value=PWS.

Summary

There is no way to encrypt JavaScript so compressed JavaScript code can always be uncompressed again.

4 comments

Name Intelligence, Inc. won’t stop abuse

Posted 2008-06-01 in Spam by Johann.

Name Intelligence, Inc. is one of the few corporate web abusers that I seriously consider blocking at the firewall. Not because of their stealth crawling but because they assume webmasters are really, really stupid and can’t tell fake bots from real ones.

66.249.16.211 … "GET / HTTP/1.1" 403 345 "http://whois.domaintools.com/…" "Mozilla/5.0 (compatible; YodaoBot/1.0; http://www.yodao.com/help/webmaster/spider/; )"

66.249.16.212 … "GET / HTTP/1.1" 403 4252 "http://whois.domaintools.com/eaio.com" "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"

3 comments

xslt.js version 3.0 released XML XSLT now with jQuery plugin

Posted 2008-05-19 in JavaScript by Johann.

xslt.js is a tiny JavaScript library to transform XML with XSL. Essentially, it’s a JavaScript wrapper around the browser’s XSLT API.

The version 3.0 now includes a jQuery plugin.

Browser Support

xslt.js supports the following browsers:

  • Mozilla 0.9.4 and greater.
  • Microsoft Internet Explorer 5 and greater, Internet Explorer 6 and greater if using the jQuery plugin.
  • Opera 9 and greater.
  • Safari 3 or greater.

jQuery XSL plugin

To use the jQuery XSL plugin, add the jquery.xsltjs.js file (5 KB) to your page. Files compressed with YUI (2 KB) and YUI and /packer/ (2 KB) are included in the download as well.

Ideally, you would compress all JavaScript files on your page into one single file though.

The jQuery plugin extends jQuery with a function called xslt. Its parameters are xml and xslt where xml is the URI of the XML file and xslt is the URI of the XSL style sheet.

$('#myid').xslt('bla.xml', 'bla.xslt');

Changelog

  • JavaScript compression changed from ShrinkSafe to YUI Compressor to /packer/.
  • xslt.js version information removed.
  • jQuery plugin.

Issues

  • There is no XSLT callback in the jQuery plugin. This means you currently cannot modify the transformed XML. If you need this, please let me know.

Tips

  • To perform an XSLT onload, use the following JavaScript: 
    $(function() {
 $('#element').xslt('bla.xml', 'bla.xslt');
});

2 comments

Pages

Page 5 · Page 6 · Page 7 · Page 8 · Page 9 · Page 10 · Page 11 · Next Page »

Subscribe

RSS 2.0, Atom or subscribe by Email.

Top Posts

  1. DynaCloud - a dynamic JavaScript tag/keyword cloud with jQuery
  2. 6 fast jQuery Tips: More basic Snippets
  3. xslt.js version 3.2 released
  4. xslt.js version 3.0 released XML XSLT now with jQuery plugin
  5. Forum Scanners - prevent forum abuse
  6. Automate JavaScript compression with YUI Compressor and /packer/

Categories

Navigation