SIGNUP LOGIN

HOME TUTORIALS SCRIPTS ANSWERS ONLINE SERVICES TOOLS BLOG FORUM JOBS

Secret Access

By Will Bontrager
2005-09-24

You go to a web page without a form or prompt indicating it might double as a secret access to another web page.

You go ahead and type a certain sequence of characters on your keyboard. If you get it right, you are redirected to a secret web page.

To gain access to the secret web page in that way, a person needs to:

1. Know the URL of the web page containing the secret access.

2. Use a certain browser.

3. Know the sequence of characters that translate into the location of the secret destination web page.

It's done with JavaScript.

There are three levels of obfuscation, in addition to the above requirements:

1. The web page containing the secret access is devoid of any indication that such an access is present.

2. The Secret Access JavaScript does not reveal its purpose. It requires one well versed in JavaScript to just figure out what it does.

3. The exact secret destination web page location is never mentioned or referred to, anywhere in the Secret Access JavaScript. There is no clue.

Before revealing how it works, here is the Secret Access JavaScript, all 22 lines of it:

<script type="text/javascript" language="JavaScript">

<!-- Copyright 2005 Bontrager Connection, LLC

var FerhFill = new String();

function Ferh(inouta) {

var inoutb = String.fromCharCode(inouta.which);

if(inoutb != '|') { FerhFill += inoutb; return; }

var ina = new Array('ferh','.','no','it','acol');

var inb = ina.join('');

var re = /slash/g; FerhFill = FerhFill.replace(re,'/');

re = /\./g; FerhFill = FerhFill.replace(re,'i');

re = /dot/g; FerhFill = FerhFill.replace(re,'.');

re = /z/g; FerhFill = FerhFill.replace(re,'a');

inb = '=' + inb;

var outa = inb.split('');

outa.reverse();

var outb = outa.join('');

eval(outb+'"'+FerhFill+'"');

}

document.captureEvents(Event.KEYPRESS);

document.onkeypress = Ferh;

//-->

</script>

When the secret access page containing the JavaScript is visited by a Mozilla browser, namely Netscape or Firefox, the JavaScript intercepts key presses. It does not intercept mouse clicks or movements, only keyboard key presses.

People in the know type a special sequence of characters on their keyboard after the web page with the JavaScript has loaded. When all the characters are typed, they then type the vertical bar character ("|") to signal the JavaScript that they are done.

On the web page, there is no indication about what is happening. There is no form, no invitation to provide information. Nothing.

Behind the scenes, the Secret Access JavaScript remembers the key presses until the vertical bar character is typed. At that point:

1. The keys that were pressed are translated into a web page location, which is a URL or file name.

2. The browser redirects itself to that location.

If there is no web page at that location, the browser displays a 404 page.

If the destination location should be kept out of the browser's address bar, instructions below show you how to redirect the page in an existing frame or popup window instead of redirecting the current window.

Of the browsers tested (IE, Opera, Netscape, Firefox), Netscape and Firefox are the only browsers this will work with. (Firefox was tested on both Windows and Mac OSX. Netscape was tested only on Windows — Netscape 6.)

Of particular note, the Secret Access JavaScript is silent in the world's most popular browser. It does nothing. This is one instance where an aspect of IE's differences is a good thing — for two reasons:

1. There is less chance of a random visitor noticing something strange about the page and investigating.

2. Even if a cracker figures out what the Secret Access JavaScript is supposed to do, s/he can try to guess the destination URL until the world goes flat, and never figure it out using IE.

   That is, if they don't just pass on it altogether because the thing doesn't do anything anyway. (IE doesn't capture and process key presses like real Mozilla browsers do.)

The browser restriction gives you a more secure secret.

Note: The secret access web page, the page containing the Secret Access JavaScript, should not have any forms or other invitations to use the keyboard keys. What's typed could inadvertently cause the JavaScript to try to redirect the user to another web page. This action can provide clues about the web page's secret functionality when no such clues should be provided.

Tutorial pages: Secret Access Determining the Location's Sequence of Characters If Your Location Contains the Letter "z" Two Customizations for Further Obfuscation

Copyright 2004 Bontrager Connection, LLC

Stumble It!

2 Votes Select Rating Excellent Very Good Good Fair Poor Showcase Your Tutorials

You might also want to check these out: Client Side Data Binding Using jQuery JavaScript Debugging Techniques with Firebug Striped Tables Using JavaScript Opening PDFs in a New Window with JavaScript Essential Javascript -- A Javascript Tutorial Submit Forms Conditionally using JavaScript

You must be logged in to post a comment.

Link to This Tutorial Page!
<a href="http://www.developertutorials.com/tutorials/javascript/secret-website-access-050924/page1.html" title="Secret Access">Secret Access - Secret Access</a>

Tutorials AJAX ASP CGI & Perl CSS Flash HTML Illustrator Java JavaScript Linux MySQL PHP Photoshop Python Wireless XML Miscellaneous Scripts AJAX ASP ASP.NET CGI & Perl Flash Java JavaScript PHP Python Remotely Hosted Tools & Utilities XML Online Services Domain Names Hard Drive Recovery Internet Marketing Online Backup Online Training Payment Processing SaaS Software Escrow Web Design Web Development Web Hosting Directory Web Hosting Articles Developer Manuals Learn HTML Learn PHP Learn CSS Learn AJAX Learn JavaScript Learn Pear White Papers Resources Tutorial Directory Webmaster News Developer Content

Write For Us | Advertise with Us
Website Design by Ducani Media Group. Copyright ©2004-2010 NetVisits, Inc. All Rights Reserved. Privacy Policy.