///Secret Access

Secret Access

Secret Access

You go to a web page without a form or prompt indicating it might double as a secret access to another web page.

You go ahead and type a certain sequence of characters on your keyboard. If you get it right, you are redirected to a secret web page.

To gain access to the secret web page in that way, a person needs to:

  1. Know the URL of the web page containing the secret access.

  2. Use a certain browser.

  3. Know the sequence of characters that translate into the location of the secret destination web page.

It’s done with JavaScript.

There are three levels of obfuscation, in addition to the above requirements:

  1. The web page containing the secret access is devoid of any indication that such an access is present.

  2. The Secret Access JavaScript does not reveal its purpose. It requires one well versed in JavaScript to just figure out what it does.

  3. The exact secret destination web page location is never mentioned or referred to, anywhere in the Secret Access JavaScript. There is no clue.

Before revealing how it works, here is the Secret Access JavaScript, all 22 lines of it:

<script type="text/javascript" language="JavaScript">

<!-- Copyright 2005 Bontrager Connection, LLC
var FerhFill = new String();
function Ferh(inouta) {
var inoutb = String.fromCharCode(inouta.which);
if(inoutb != '|') { FerhFill += inoutb; return; }
var ina = new Array('ferh','.','no','it','acol');
var inb = ina.join('');
var re = /slash/g; FerhFill = FerhFill.replace(re,'/');
re = /\./g; FerhFill = FerhFill.replace(re,'i');
re = /dot/g; FerhFill = FerhFill.replace(re,'.');
re = /z/g; FerhFill = FerhFill.replace(re,'a');
inb = '=' + inb;
var outa = inb.split('');
var outb = outa.join('');
document.onkeypress = Ferh;

When the secret access page containing the JavaScript is visited by a Mozilla browser, namely Netscape or Firefox, the JavaScript intercepts key presses. It does not intercept mouse clicks or movements, only keyboard key presses.

People in the know type a special sequence of characters on their keyboard after the web page with the JavaScript has loaded. When all the characters are typed, they then type the vertical bar character ("|") to signal the JavaScript that they are done.

On the web page, there is no indication about what is happening. There is no form, no invitation to provide information. Nothing.

Behind the scenes, the Secret Access JavaScript remembers the key presses until the vertical bar character is typed. At that point:

  1. The keys that were pressed are translated into a web page location, which is a URL or file name.

  2. The browser redirects itself to that location.

If there is no web page at that location, the browser displays a 404 page.

If the destination location should be kept out of the browser’s address bar, instructions below show you how to redirect the page in an existing frame or popup window instead of redirecting the current window.

Of the browsers tested (IE, Opera, Netscape, Firefox), Netscape and Firefox are the only browsers this will work with. (Firefox was tested on both Windows and Mac OSX. Netscape was tested only on Windows — Netscape 6.)

Of particular note, the Secret Access JavaScript is silent in the world’s most popular browser. It does nothing. This is one instance where an aspect of IE’s differences is a good thing — for two reasons:

  1. There is less chance of a random visitor noticing something strange about the page and investigating.

  2. Even if a cracker figures out what the Secret Access JavaScript is supposed to do, s/he can try to guess the destination URL until the world goes flat, and never figure it out using IE.

    That is, if they don’t just pass on it altogether because the thing doesn’t do anything anyway. (IE doesn’t capture and process key presses like real Mozilla browsers do.)

The browser restriction gives you a more secure secret.

Note: The secret access web page, the page containing the Secret Access JavaScript, should not have any forms or other invitations to use the keyboard keys. What’s typed could inadvertently cause the JavaScript to try to redirect the user to another web page. This action can provide clues about the web page’s secret functionality when no such clues should be provided.

Determining the Location’s Sequence of Characters

The sequence of characters to be typed at the secret access web page are determined from the location the browser shall be redirected to, the secret destination location.

The location can be a file name, a relative URL, or an absolute http://… URL. Examples:



The first example location is a file in the directory where the secret access web page is located.

The second example is a file in the "fast" subdirectory.

The third is a file at domain example.com.

To determine the sequence of characters to be typed at the secret access web page, do these steps in order:

  1. Replace all period characters (".") in secret destination location with the characters: dot

  2. Replace all lower-case "i" characters with the period character: .

  3. Replace all lower-case "a" characters with the character: z

  4. Replace all forward slash characters ("/") with the characters: slash

The sequence of characters to be typed at the secret access web page for the three location examples above, are:



You probably noticed that when all "a" characters are replaced with "z", it means the destination location can have no "z" characters (otherwise they would be changed to "a" during translation). See the next section for information about how to change that, should your location contain the letter "z".

Give your privileged people the sequence of characters determined as above, along with the URL of the secret access web page. They type those characters, finalized by typing a vertical bar character, and they’ll be redirected to the secret destination location — provided they’re using Firefox or Netscape.

If Your Location Contains the Letter “z”

At line 12 of the Secret Access JavaScript, you’ll see:

re = /z/g; FerhFill = FerhFill.replace(re,'a');

This replaces any "z" characters with the "a" character during the translation process.

If your destination location has a letter "z", then replace the "z" in the above line with a letter that is not used in your location. Once the letter is determined, use that letter instead of "z" in step three of determining the sequence of characters to type at the secret access web page.

Two Customizations for Further Obfuscation

1. Additional Character Replacements —

If you wish to have additional character replacements, notice line 12 of the Secret Access JavaScript:

re = /z/g; FerhFill = FerhFill.replace(re,'a');

Duplicate that line in the JavaScript, immediately below the original.

In each duplicated line, replace the "z" with a letter not used in your destination location and replace the "a" (between the single quotes near the end of the line) with a letter that is used.

Then modify step three of determining the sequence of characters to include the additional character replacements.

2. Hiding Destination URL From Browser Address Bar —

The Secret Access JavaScript can redirect a web page in a frame (or iframe) or in a popup window, instead of the window where the access page is at. This can keep the destination location out of the browser’s address bar.

To do that, you’ll need to know the name assigned to the frame or popup window.

At line 17 of the Secret Access JavaScript, you’ll see


Replace that line with


FRAMENAME needs to be the name assigned to the frame or popup window.


Thus, you have a web page with a secret access. When a certain sequence of characters are typed on the keyboard, the browser is redirected to the secret destination, provided the browser is Netscape or Firefox.

2010-05-25T23:07:11+00:00 September 24th, 2005|JavaScript|0 Comments

About the Author:

Leave A Comment