If the password is in JavaScript then all anyone need do to see it is view the source of the page. At worst they would need to take a copy of the script and run parts of it to get the password.
Below is pretty much it. Beyond this portion is text and graphics unrelated to the script. I have seen other posts and sites that suggest th password is right out in the open. Running the script brings up the prompt but that's it.
I have removed any reference to what the site is in case the password is indeed that easy to get.
<body bgcolor="#ffffff">
<p><img src=Graphics/fflscript2.jpg alt="" height="129" width="612" border="0"></p>
<p><b><font size="+3">Reference Document Center</font></b></p>
<p><br>
If you have not been given your xxxxxx Password to access these documents</p>
<p>Please call our customer service line to get yours. 1-800-xxxxxxxxx</p>
<p><br>
</p>
<p><a onclick="CSAction(new Array(/*CMP*/'2A2D2654'));return CSClickReturn()" href="#" csclick="2A2D2654">Documents </a><font size="-1">(for those with an old password use only the first 7 characters)</font></p
Firstly... font tags? eww. Secondly you seem to have the same problem as before, you should not be using JavaScript to authenticate a username and password, all verification of users should be done serverside as client-side scripts are far too easily to manipulate and bypass.
How do you mean? I certainly don't know any sites that use font tags anymore and certainly no-one uses client-side scripting for logins, just take the forum's you have been on, I would wager all of them used some kind of server-side authentication to login to make mosts in the first place.
Fonts....whatever. I was more interested in someone 'showing' me that using that form of script is vulnerable. It seems just like the other forums it's apparently not the thing to do, but no one is actually able to demonstrate why. Just talk about it.
Oh and by the way, don't drink aspartame.. 'they say' it's bad for you.
Just take my word for it.
JavaScript is plain text, it can be seen by right clicking and viewing source, all someone needs to do is navigate to the file where the login details are held and they can just take it from the source code and use it, it doesn't require demonstration, you can do it yourself from within any web browser.
"JavaScript is plain text, it can be seen by right clicking and viewing source, all someone needs to do is navigate to the file where the login details are held and they can just take it from the source code and use it, it doesn't require demonstration, you can do it yourself from within any web browser."
Ok so in the initial post is the source from that part of the page.
Where does it show the specific location of the file where the login details are held.
Presumably either in CSScriptLib.js (since that is the only JavaScript file mentioned) or in a different JavaScript file that is dynamically loaded by CSScriptLib.js. Either that or there is additional code in the page that you didn't post that either contains the code or a link to the JavaScript file that contains the code.
Bookmarks