spacer
Web Development Tutorials JAVASCRIPT Tutorials
 Developer Newsletter

Tutorials
AJAX
ASP
CGI & Perl
CSS
Flash
HTML
Illustrator
Java
JavaScript
Linux
MySQL
PHP
Photoshop
Python
Wireless
XML
Miscellaneous


Scripts Directory
AJAX Scripts
ASP Scripts
ASP.NET Scripts
CGI & Perl Scripts
Flash Scripts
Java Scripts
JavaScript Scripts
PHP Scripts
Python Scripts
Remotely Hosted Scripts
Tools & Utilities Scripts
XML Scripts

Web Hosting Directory
ASP.NET
Budget
Dedicated Servers
Ecommerce
Linux
Resellers
Shared
Small Business
Windows

Developer Manuals
Learn HTML
Learn PHP
Learn CSS
Learn AJAX
Learn JavaScript
Learn Pear
Free White Papers

Developer Resources
Developer Tools
Developer Content
Survey Software
Dedicated Servers

Secret Access

By Will Bontrager
2005-09-24


Secret Access

You go to a web page without a form or prompt indicating it might double as a secret access to another web page.

You go ahead and type a certain sequence of characters on your keyboard. If you get it right, you are redirected to a secret web page.

To gain access to the secret web page in that way, a person needs to:

  1. Know the URL of the web page containing the secret access.

  2. Use a certain browser.

  3. Know the sequence of characters that translate into the location of the secret destination web page.

It's done with JavaScript.

There are three levels of obfuscation, in addition to the above requirements:

  1. The web page containing the secret access is devoid of any indication that such an access is present.

  2. The Secret Access JavaScript does not reveal its purpose. It requires one well versed in JavaScript to just figure out what it does.

  3. The exact secret destination web page location is never mentioned or referred to, anywhere in the Secret Access JavaScript. There is no clue.

Before revealing how it works, here is the Secret Access JavaScript, all 22 lines of it: 

<script type="text/javascript" language="JavaScript">

<!-- Copyright 2005 Bontrager Connection, LLC

var FerhFill = new String();

function Ferh(inouta) {

var inoutb = String.fromCharCode(inouta.which);

if(inoutb != '|') { FerhFill += inoutb; return; }

var ina = new Array('ferh','.','no','it','acol');

var inb = ina.join('');

var re = /slash/g; FerhFill = FerhFill.replace(re,'/');

re = /\./g; FerhFill = FerhFill.replace(re,'i');

re = /dot/g; FerhFill = FerhFill.replace(re,'.');

re = /z/g; FerhFill = FerhFill.replace(re,'a');

inb = '=' + inb;

var outa = inb.split('');

outa.reverse();

var outb = outa.join('');

eval(outb+'"'+FerhFill+'"');

}

document.captureEvents(Event.KEYPRESS);

document.onkeypress = Ferh;

//-->

</script>

When the secret access page containing the JavaScript is visited by a Mozilla browser, namely Netscape or Firefox, the JavaScript intercepts key presses. It does not intercept mouse clicks or movements, only keyboard key presses.

People in the know type a special sequence of characters on their keyboard after the web page with the JavaScript has loaded. When all the characters are typed, they then type the vertical bar character ("|") to signal the JavaScript that they are done.

On the web page, there is no indication about what is happening. There is no form, no invitation to provide information. Nothing.

Behind the scenes, the Secret Access JavaScript remembers the key presses until the vertical bar character is typed. At that point:

  1. The keys that were pressed are translated into a web page location, which is a URL or file name.

  2. The browser redirects itself to that location.

If there is no web page at that location, the browser displays a 404 page.

If the destination location should be kept out of the browser's address bar, instructions below show you how to redirect the page in an existing frame or popup window instead of redirecting the current window.

Of the browsers tested (IE, Opera, Netscape, Firefox), Netscape and Firefox are the only browsers this will work with. (Firefox was tested on both Windows and Mac OSX. Netscape was tested only on Windows — Netscape 6.)

Of particular note, the Secret Access JavaScript is silent in the world's most popular browser. It does nothing. This is one instance where an aspect of IE's differences is a good thing — for two reasons:

  1. There is less chance of a random visitor noticing something strange about the page and investigating.

  2. Even if a cracker figures out what the Secret Access JavaScript is supposed to do, s/he can try to guess the destination URL until the world goes flat, and never figure it out using IE.

    That is, if they don't just pass on it altogether because the thing doesn't do anything anyway. (IE doesn't capture and process key presses like real Mozilla browsers do.)

The browser restriction gives you a more secure secret.

Note: The secret access web page, the page containing the Secret Access JavaScript, should not have any forms or other invitations to use the keyboard keys. What's typed could inadvertently cause the JavaScript to try to redirect the user to another web page. This action can provide clues about the web page's secret functionality when no such clues should be provided.



Tutorial Pages:
» Secret Access
» Determining the Location's Sequence of Characters
» If Your Location Contains the Letter "z"
» Two Customizations for Further Obfuscation


Copyright 2004 Bontrager Connection, LLC

 | Bookmark Print |   Write For Us
Related Tutorials:
» JavaScript Debugging Techniques with Firebug
» Striped Tables Using JavaScript
» Opening PDFs in a New Window with JavaScript
» Essential Javascript -- A Javascript Tutorial
» Submit Forms Conditionally using JavaScript
» How to Setup a Randomising Function



About the NetVisits, Inc Network | Write For Us | Advertise
Copyright ©2007 NetVisits, Inc Network. All Rights Reserved. Privacy Policy. 		Visit other NetVisits, Inc. sites: