Passwords in Client-Side JavaScript (PicoCTF 2022 #14 'local-authority')

Поділитися
Вставка
  • Опубліковано 25 лис 2024

КОМЕНТАРІ • 26

  • @LDowning0190
    @LDowning0190 2 роки тому +21

    The extra effort at the end was much appreciated. Thank you sir.

  • @greyether777
    @greyether777 2 роки тому +8

    Even though we didn't use what we started in the first phase of the video I still learned something new...thanks John!!

  • @detecht
    @detecht 5 місяців тому

    Wow! I'm glad I got to see this. Everything you did, after finding the flag, was SO incredibly helpful! Such a great video! Thanks, John!

  • @rjmp7324
    @rjmp7324 2 роки тому +4

    I'm loving this series.

  • @micleh
    @micleh 2 роки тому +1

    18:07 "Nuggets" - YES! The question is: How and where to store them. I use Obsidian and tell my students to collect bits and pieces found on the way through our ICT classes in a "digital folder", preferably in a free format that still "lives" if the application "dies", which is Markdown in this case.

  • @zackbarletto2405
    @zackbarletto2405 2 роки тому +4

    Keep up the great work! You have taught me so much and I can't get enough of your videos! Excellent work my friend!

  • @drewzilla1263
    @drewzilla1263 2 роки тому +1

    Thanks for going thru these and giving the detail that you do!

  • @bhairavkedare9074
    @bhairavkedare9074 2 роки тому

    Dude , attention to detail man alt+left msb you're too good!💯

  • @lukecooper1693
    @lukecooper1693 2 роки тому +1

    I think as most of these CTF which use network traffic to contain a frame with the flag in , wireshark can be enabled on all CTF games with an alert set for the regular exxpression p{*.?*} so any thing yuo may have missed like white text on a white background containing the flag. wireshark will alert you to the flag and any other michevuous CTF flags. :p with a phython script to be made in its name to do just that on every ctf game.

  • @jhde9067
    @jhde9067 2 роки тому

    The silly stuff was a good way to see how to use the dev tools.

  • @AntiAtheismIsUnstoppable
    @AntiAtheismIsUnstoppable 2 роки тому +8

    The difference seems to lie in the method used. The first time you view the course with the GET method, but the second time you use a POST method, which is allowed to send data back to the client. POST is temporary, while GET is what you will always get when you request the page normally using a browser. A note on this is, pages generated with the POST are not reachable by search engines, so that is one difference.

    • @Channel-he5fr
      @Channel-he5fr 2 роки тому +1

      You can send any response back to the client for any request type.
      The difference between post and get is that post is encoded as a body, where GET stores variables in the URL
      Using express routing you can send any response
      The server side is simply checking the hash - if post body contains hash, then it returns the login page, false it returns res.send("not authorized")

    • @AntiAtheismIsUnstoppable
      @AntiAtheismIsUnstoppable 2 роки тому

      @@Channel-he5fr Yes, but in the video, the method was POST in the form.
      So, the first time he views source with method GET, but the second time it is POST because he submits the form, which then displays the javascript in the source.
      And the reason then why he cannot see the javascript the first time, is the GET method which is the standard method.
      ...but I just realized, that he actually explained what happened.

    • @Channel-he5fr
      @Channel-he5fr 2 роки тому +1

      You said post method - which is allowed to send data back to the client
      Just providing additional information based on our experience configuring express routes

    • @AntiAtheismIsUnstoppable
      @AntiAtheismIsUnstoppable 2 роки тому

      @@Channel-he5fr What I meant was, GET only send data back, while POST receives on the serverside and can send data back to the client too.
      GET is a one step process.
      POST is a two step process.
      GET is used to make database lookups for example, usually through query string, which is part of the URL and can therefore be indexed by search engines.
      POST can send query string too, but as you said, it can also send data in the body, and the response will also be hidden to search engines, so a page generated using POST will never be indexed.
      And this is one thing I use, if a request has a user agent of google for example, but uses method POST, then it is not a search engine so it gets a 404 in response. Search engines never use POST, because that is rightfully seen as internal, meaning private.

  • @lordspacecake5565
    @lordspacecake5565 2 роки тому +1

    Awsome videos!!!!

  • @mjtonyfire
    @mjtonyfire 2 роки тому

    I'm just bathing in the fountain of knowledge here... :-)

  • @sultanalrahbi2384
    @sultanalrahbi2384 2 роки тому

    big thankssssssssssssssssssssssssssssssss to you John, smart man

  • @iceber96
    @iceber96 2 роки тому

    Learning so much

  • @hshhsjhahsvs7728
    @hshhsjhahsvs7728 2 роки тому

    Cool

  • @jhde9067
    @jhde9067 2 роки тому

    The camera quality though

  • @Channel-he5fr
    @Channel-he5fr 2 роки тому +3

    There is no reason to check password client side - hash and salt on client side, decode and authenticate server side, then hash and salt for storage

  • @samuelgreenfield1754
    @samuelgreenfield1754 Рік тому

    Isn't the .php file like superfluous here? Couldn't the password be directly sent to the JavaScript file? And ideally wouldn't this be done all on the php script server side so no one can just read the correct password from source?

  • @web_resource
    @web_resource 2 місяці тому

    10:25

  • @ChristopherBruns-o7o
    @ChristopherBruns-o7o 3 місяці тому

    lol say 'ran somewhere ' 5x fast.

  • @anarkisgaming
    @anarkisgaming 2 роки тому

    Video Spam bad