White Hat Institute

“Defend the Web” write-up (Intro 10 / Javascript)

“Defend the Web” write-up (Intro 10— JavaScript code exposure and decryption)

The Intro 10 challenge is very similar to Intro 3 and 5. We are not going to explain it in detail here since we have already done it. For more information on JavaScript vulnerabilities and countermeasures, please visit the previous tutorials.

Meanwhile, let’s view the challenge and dive into it.

Go ahead and type something into the password field and see the response.


Defend the Web - Intro 10-1

If the password you put is not correct, the small window will pop up with the message that the password is not correct. Let’s view the source code of the page and analyze the “Incorrect password” message.

Defend the Web - Intro 10-2

Press on “CTRL + F”, then search for the “Incorrect password” field and inspect the script.

Defend the Web - Intro 10-3

The developer used an “if” statement to compare the password value to the “document.thecode” variable. Let’s search for it and see what we can find.

Defend the Web - Intro 10-4

Looks like we found the code which is “code123.” Let’s try it and see if it works.

Defend the Web - Intro 10-5

It didn’t work this time. Let’s search for the word “thecode” this time instead of “document.thecode,” and inspect further.

Defend the Web - Intro 10-6

Here we found our password, but it is encoded in hexadecimal characters. Copy the hex value and try to decode it in any online hex converters.

Defend the Web - Intro 10-7

There it is. Copy the password and use it on the login page to pass the challenge.

If in any case, you have to use a similar system in the production environment (I don’t know why you would, but anyways…) use at least a stronger encryption methodology.