The Intro 10 challenge is very similar to Intro 3 and 5. We are not going to explain it in detail here since we have already done it. For more information on JavaScript vulnerabilities and countermeasures, please visit the previous tutorials.
Meanwhile, let’s view the challenge and dive into it.
Go ahead and type something into the password field and see the response.
If the password you put is not correct, the small window will pop up with the message that the password is not correct. Let’s view the source code of the page and analyze the “Incorrect password” message.
Press on “CTRL + F”, then search for the “Incorrect password” field and inspect the script.
The developer used an “if” statement to compare the password value to the “document.thecode” variable. Let’s search for it and see what we can find.
Looks like we found the code which is “code123.” Let’s try it and see if it works.
It didn’t work this time. Let’s search for the word “thecode” this time instead of “document.thecode,” and inspect further.
Here we found our password, but it is encoded in hexadecimal characters. Copy the hex value and try to decode it in any online hex converters.
There it is. Copy the password and use it on the login page to pass the challenge.
If in any case, you have to use a similar system in the production environment (I don’t know why you would, but anyways…) use at least a stronger encryption methodology.