JavaScript Hacking
1. I need the HTML source code of pages
A webpage consists of a main document, and, if it is a framework, of any number of child pages. Parts of the script code may be in any of them. There are different methods to get the source code of the html pages. The easiest one is a right click in the desired frame, then choose view source. If that doesn't work for whatever reason, try to save the whole page to your desktop via the "File" menu.
If you get any problems with scripts in the page that disable right clicks or create popups, go and disable scripting in the browser menu first. Additional problems can come up if you are inside a framework and need to break out of it. Simply look for the name of the child window you want to go to inside the parent frames html source and plug the name into the browser. If you can't get the source that way you can use programs like "codelifter" to get it, or just telnet to the web server.
2. I need to analyze the html source code and find the JavaScript code inside.
Now that you have the html source code, look for the < script > < /script > tags. Inside those tags is the script code responsible for password protection. The code looks like standard Java, C# or C++ code. Its easy to understand. Now look into the html source again and find the < form > < /form > tags. There may be more than one for distraction, but the one you are looking for should have as action the name of a password script function you found.
There may be distraction inside the html source, like comment tags that hide the JavaScript code, so make sure you have the complete html source. Also make sure you scroll the complete source code file, there are programs out there that put lots of spaces into html code to hide parts of the code in very long lines or at the very end of the file behind a few thousand empty lines.
3. I need to analyze the found password scripting function.
First make sure this is the function that really gets called, and not fake code to fool you. Now see if you find any hardcoded URL's inside the password script. JavaScript calls new webpages with something like:
_self meaning in a new window, or:
So if you find any hardcoded URL, paste it into your browser and you are done. If the function creates the URL from the entered password or username and does not check it you will have to find them both by either fooling the owner of the password into giving it to you, or finding it written down somewhere.
If the script checks the entered password against something, either the plain text password or some generated hash, you can often get or guess the password from the comparison. Just look for it. Worst case you will have to understand the hash function and find passwords that fit into the comparison. The only really secure script is a script where the password really is the URL that gets called, either plain text or encrypted in any way. If you find a script like that and have no way to get the password, try to find other ways into the webserver.
Sometimes people mess up file and/or folder restriction, allowing people to access parts of the webspace that should be restricted, and that way finding files that are not for outside use. If that also fails you are down to good old brute forcing. That's not allowed in here, and won't be necessary. If brute forcing the web server should fail as well you would then go and attack other services like ftp with the hope to get access to the web files.
Tutorial by Raduce