XECryption

[d3volution]

Hi folks,

I'm quit new to security, computers and programming. I decided to write a Javascript program to decrypt XECryption. Like I said I am new to programming and this to alot of effort from me so I just wanted to see what you guys thought of it.


D3vo

Link removed by Defience(spoiler for real 6)

[Avery17]

Very nicely done. It easily completes Realistic 6 so I guess its good. How about adding an encrypt method and a key box so we can set out own key? I made one of these myself in PHP and never added either of those features I just mentioned so I really should follow my own advice as well... lol

Mine doesn't look as fancy, I got kinda lazy with the input system but here it is.

Link removed by Defience(spoiler for real 6)


Damn I just found a bug in my code!

[d3volution]

Very nicely done. It easily completes Realistic 6 so I guess its good. How about adding an encrypt method and a key box so we can set out own key? I made one of these myself in PHP and never added either of those features I just mentioned so I really should follow my own advice as well... lol

Mine doesn't look as fancy, I got kinda lazy with the input system but here it is.

Link removed by Defience(spoiler for real 6)


Damn I just found a bug in my code!

Funny you should say that. I have already started coding one...

[Avery17]

Very nicely done. It easily completes Realistic 6 so I guess its good. How about adding an encrypt method and a key box so we can set out own key? I made one of these myself in PHP and never added either of those features I just mentioned so I really should follow my own advice as well... lol

Mine doesn't look as fancy, I got kinda lazy with the input system but here it is.

Link removed by Defience(spoiler for real 6)


Damn I just found a bug in my code!

Funny you should say that. I have already started coding one...

Us coders think alike! Haha

And I didn't account for the first "." in my code and when its included it throws off my array. >:/ I shall be solving this for a while.

Alright I fix the bug and made it convert new line characters to <br /> tags. Made it look much nicer. Thanks for your inspiration of improving my script!

[d3volution]

I had that issue also. The way I resolved it was to check and see if character 0 was a "." if it is then create a substring in the same variable starting with character 1.

[Skiddie Killer]

Avery17, you have a non-persistent XSS hole in your page. Enter this string without a key:
.8.45.7.36.36.43.43.48.8.40.30.44.26.17.62.60.17.35.46.17.53.25.3.34.21.14.62.6.64.
38.14.57.30.35.16.63.30.52.34.34.-15.21.-10.-16.60.13.26.49.55.39.-11.53.35.-5.7.8.
19.43.31.-33.28.42.-11.49.7.4.-13.18.42.38.28.49.49.34.16.26.65.23.30.50.25.12.54.
46.37.64.15.38.28.-4

[Avery17]

Avery17, you have a non-persistent XSS hole in your page. Enter this string without a key:
.8.45.7.36.36.43.43.48.8.40.30.44.26.17.62.60.17.35.46.17.53.25.3.34.21.14.62.6.64.
38.14.57.30.35.16.63.30.52.34.34.-15.21.-10.-16.60.13.26.49.55.39.-11.53.35.-5.7.8.
19.43.31.-33.28.42.-11.49.7.4.-13.18.42.38.28.49.49.34.16.26.65.23.30.50.25.12.54.
46.37.64.15.38.28.-4

Nicely done, very creative. I gotta give you props, I never thought of that. But then again I never intended for any cookies to be stored on the page so its pretty much useless and there is no need for me to implement any form of html tag removal. Maybe I should anyways...

And to the bug, I explode the whole set of numbers into an array and seperate the numbers by the "." character. I just added a check to see if the array value was empty or not.

[Skiddie Killer]

You don't have to store any cookies for this to be a security threat. Let's say we have a site like yours, that writes stuff to the page without checking the input. An attacker can craft an URL like this:
http://www.somesite.com/application.php?input=<script>Malicious JavaScript here</script>
and post the link somewhere.
When a user clicks on the link, the JavaScript is executed.

[sanddbox]

Unless he modified his code, the input you gave doesn't do anything, SkiddieKiller. It just writes alert("XSS");. Maybe he modified it to strip tags.

Anyway, Avery17, nice job. Remember to always sanitize untrusted input. I've done something similar to what SkiddieKiller did on a hash cracking site.

[Avery17]

Unless he modified his code, the input you gave doesn't do anything, SkiddieKiller. It just writes alert("XSS");. Maybe he modified it to strip tags.

Anyway, Avery17, nice job. Remember to always sanitize untrusted input. I've done something similar to what SkiddieKiller did on a hash cracking site.

I added strip tags right after he told me actually but before it did work. Also thanks to him I found another XSS hole in my main page through a URL. It was a simple patch, I now see more when I code. Thanks guys.

Also I wrote my script like 7 or 8 months ago and haven't touched it since. I just bought a webserver and decided to take another look at all my old scripts.