XECryption

The fear of every surveillance society: citizens protecting their own privacy with strong cryptography

XECryption

Post by d3volution on Fri Oct 15, 2010 8:49 am
([msg=47579]see XECryption[/msg])

Hi folks,

I'm quit new to security, computers and programming. I decided to write a Javascript program to decrypt XECryption. Like I said I am new to programming and this to alot of effort from me so I just wanted to see what you guys thought of it. :?:


D3vo

Link removed by Defience(spoiler for real 6)
d3volution
New User
New User
 
Posts: 27
Joined: Tue Oct 12, 2010 6:17 am
Blog: View Blog (0)


Re: XECryption

Post by Avery17 on Fri Oct 15, 2010 9:39 am
([msg=47583]see Re: XECryption[/msg])

Very nicely done. It easily completes Realistic 6 so I guess its good. How about adding an encrypt method and a key box so we can set out own key? I made one of these myself in PHP and never added either of those features I just mentioned so I really should follow my own advice as well... lol

Mine doesn't look as fancy, I got kinda lazy with the input system but here it is.

Link removed by Defience(spoiler for real 6)


Damn I just found a bug in my code!
Avery17
Experienced User
Experienced User
 
Posts: 81
Joined: Fri Sep 17, 2010 11:28 pm
Blog: View Blog (0)


Re: XECryption

Post by d3volution on Fri Oct 15, 2010 9:43 am
([msg=47584]see Re: XECryption[/msg])

Avery17 wrote:Very nicely done. It easily completes Realistic 6 so I guess its good. How about adding an encrypt method and a key box so we can set out own key? I made one of these myself in PHP and never added either of those features I just mentioned so I really should follow my own advice as well... lol

Mine doesn't look as fancy, I got kinda lazy with the input system but here it is.

Link removed by Defience(spoiler for real 6)


Damn I just found a bug in my code!


Funny you should say that. I have already started coding one...
d3volution
New User
New User
 
Posts: 27
Joined: Tue Oct 12, 2010 6:17 am
Blog: View Blog (0)


Re: XECryption

Post by Avery17 on Fri Oct 15, 2010 9:46 am
([msg=47585]see Re: XECryption[/msg])

d3volution wrote:
Avery17 wrote:Very nicely done. It easily completes Realistic 6 so I guess its good. How about adding an encrypt method and a key box so we can set out own key? I made one of these myself in PHP and never added either of those features I just mentioned so I really should follow my own advice as well... lol

Mine doesn't look as fancy, I got kinda lazy with the input system but here it is.

Link removed by Defience(spoiler for real 6)


Damn I just found a bug in my code!


Funny you should say that. I have already started coding one...


Us coders think alike! Haha

And I didn't account for the first "." in my code and when its included it throws off my array. >:/ I shall be solving this for a while.

Alright I fix the bug and made it convert new line characters to <br /> tags. Made it look much nicer. Thanks for your inspiration of improving my script!
Avery17
Experienced User
Experienced User
 
Posts: 81
Joined: Fri Sep 17, 2010 11:28 pm
Blog: View Blog (0)


Re: XECryption

Post by d3volution on Fri Oct 15, 2010 9:58 am
([msg=47586]see Re: XECryption[/msg])

I had that issue also. The way I resolved it was to check and see if character 0 was a "." if it is then create a substring in the same variable starting with character 1.
d3volution
New User
New User
 
Posts: 27
Joined: Tue Oct 12, 2010 6:17 am
Blog: View Blog (0)


Re: XECryption

Post by Skiddie Killer on Fri Oct 15, 2010 10:03 am
([msg=47589]see Re: XECryption[/msg])

Avery17, you have a non-persistent XSS hole in your page. Enter this string without a key:
.8.45.7.36.36.43.43.48.8.40.30.44.26.17.62.60.17.35.46.17.53.25.3.34.21.14.62.6.64.
38.14.57.30.35.16.63.30.52.34.34.-15.21.-10.-16.60.13.26.49.55.39.-11.53.35.-5.7.8.
19.43.31.-33.28.42.-11.49.7.4.-13.18.42.38.28.49.49.34.16.26.65.23.30.50.25.12.54.
46.37.64.15.38.28.-4
User avatar
Skiddie Killer
New User
New User
 
Posts: 46
Joined: Sat May 22, 2010 6:46 am
Blog: View Blog (0)


Re: XECryption

Post by Avery17 on Fri Oct 15, 2010 5:23 pm
([msg=47602]see Re: XECryption[/msg])

Skiddie Killer wrote:Avery17, you have a non-persistent XSS hole in your page. Enter this string without a key:
.8.45.7.36.36.43.43.48.8.40.30.44.26.17.62.60.17.35.46.17.53.25.3.34.21.14.62.6.64.
38.14.57.30.35.16.63.30.52.34.34.-15.21.-10.-16.60.13.26.49.55.39.-11.53.35.-5.7.8.
19.43.31.-33.28.42.-11.49.7.4.-13.18.42.38.28.49.49.34.16.26.65.23.30.50.25.12.54.
46.37.64.15.38.28.-4


Nicely done, very creative. I gotta give you props, I never thought of that. But then again I never intended for any cookies to be stored on the page so its pretty much useless and there is no need for me to implement any form of html tag removal. Maybe I should anyways...

And to the bug, I explode the whole set of numbers into an array and seperate the numbers by the "." character. I just added a check to see if the array value was empty or not.
Avery17
Experienced User
Experienced User
 
Posts: 81
Joined: Fri Sep 17, 2010 11:28 pm
Blog: View Blog (0)


Re: XECryption

Post by Skiddie Killer on Fri Oct 15, 2010 6:56 pm
([msg=47609]see Re: XECryption[/msg])

You don't have to store any cookies for this to be a security threat. Let's say we have a site like yours, that writes stuff to the page without checking the input. An attacker can craft an URL like this:
http://www.somesite.com/application.php?input=<script>Malicious JavaScript here</script>
and post the link somewhere.
When a user clicks on the link, the JavaScript is executed.
User avatar
Skiddie Killer
New User
New User
 
Posts: 46
Joined: Sat May 22, 2010 6:46 am
Blog: View Blog (0)


Re: XECryption

Post by sanddbox on Fri Oct 15, 2010 7:44 pm
([msg=47612]see Re: XECryption[/msg])

Unless he modified his code, the input you gave doesn't do anything, SkiddieKiller. It just writes alert("XSS");. Maybe he modified it to strip tags.

Anyway, Avery17, nice job. Remember to always sanitize untrusted input. I've done something similar to what SkiddieKiller did on a hash cracking site.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: XECryption

Post by Avery17 on Fri Oct 15, 2010 10:04 pm
([msg=47620]see Re: XECryption[/msg])

sanddbox wrote:Unless he modified his code, the input you gave doesn't do anything, SkiddieKiller. It just writes alert("XSS");. Maybe he modified it to strip tags.

Anyway, Avery17, nice job. Remember to always sanitize untrusted input. I've done something similar to what SkiddieKiller did on a hash cracking site.


I added strip tags right after he told me actually but before it did work. Also thanks to him I found another XSS hole in my main page through a URL. It was a simple patch, I now see more when I code. Thanks guys.

Also I wrote my script like 7 or 8 months ago and haven't touched it since. I just bought a webserver and decided to take another look at all my old scripts.
Avery17
Experienced User
Experienced User
 
Posts: 81
Joined: Fri Sep 17, 2010 11:28 pm
Blog: View Blog (0)


Next

Return to Crypto

Who is online

Users browsing this forum: No registered users and 0 guests