Passwords in Client-Side JavaScript (PicoCTF 2022 #14 'local-authority')
Вставка
- Опубліковано 25 кві 2022
- Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreon ↔ j-h.io/paypal ↔ j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle
🐶Snyk ➡ j-h.io/snyk
🌎Follow me! ➡ j-h.io/discord ↔ j-h.io/twitter ↔ j-h.io/linkedin ↔ j-h.io/instagram ↔ j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
![ОРБАН приехал к ПУТИНУ и "отчитался" о поездке в Киев 😁 [Пародия]](http://i.ytimg.com/vi/_0ukDovOWq8/mqdefault.jpg)
The extra effort at the end was much appreciated. Thank you sir.
Even though we didn't use what we started in the first phase of the video I still learned something new...thanks John!!
Wow! I'm glad I got to see this. Everything you did, after finding the flag, was SO incredibly helpful! Such a great video! Thanks, John!
I'm loving this series.
Keep up the great work! You have taught me so much and I can't get enough of your videos! Excellent work my friend!
Thanks for going thru these and giving the detail that you do!
18:07 "Nuggets" - YES! The question is: How and where to store them. I use Obsidian and tell my students to collect bits and pieces found on the way through our ICT classes in a "digital folder", preferably in a free format that still "lives" if the application "dies", which is Markdown in this case.
The difference seems to lie in the method used. The first time you view the course with the GET method, but the second time you use a POST method, which is allowed to send data back to the client. POST is temporary, while GET is what you will always get when you request the page normally using a browser. A note on this is, pages generated with the POST are not reachable by search engines, so that is one difference.
You can send any response back to the client for any request type.
The difference between post and get is that post is encoded as a body, where GET stores variables in the URL
Using express routing you can send any response
The server side is simply checking the hash - if post body contains hash, then it returns the login page, false it returns res.send("not authorized")
@@Channel-he5fr Yes, but in the video, the method was POST in the form.
So, the first time he views source with method GET, but the second time it is POST because he submits the form, which then displays the javascript in the source.
And the reason then why he cannot see the javascript the first time, is the GET method which is the standard method.
...but I just realized, that he actually explained what happened.
You said post method - which is allowed to send data back to the client
Just providing additional information based on our experience configuring express routes
@@Channel-he5fr What I meant was, GET only send data back, while POST receives on the serverside and can send data back to the client too.
GET is a one step process.
POST is a two step process.
GET is used to make database lookups for example, usually through query string, which is part of the URL and can therefore be indexed by search engines.
POST can send query string too, but as you said, it can also send data in the body, and the response will also be hidden to search engines, so a page generated using POST will never be indexed.
And this is one thing I use, if a request has a user agent of google for example, but uses method POST, then it is not a search engine so it gets a 404 in response. Search engines never use POST, because that is rightfully seen as internal, meaning private.
I think as most of these CTF which use network traffic to contain a frame with the flag in , wireshark can be enabled on all CTF games with an alert set for the regular exxpression p{*.?*} so any thing yuo may have missed like white text on a white background containing the flag. wireshark will alert you to the flag and any other michevuous CTF flags. :p with a phython script to be made in its name to do just that on every ctf game.
Dude , attention to detail man alt+left msb you're too good!💯
Awsome videos!!!!
big thankssssssssssssssssssssssssssssssss to you John, smart man
Learning so much
The silly stuff was a good way to see how to use the dev tools.
I'm just bathing in the fountain of knowledge here... :-)
The camera quality though
Cool
Isn't the .php file like superfluous here? Couldn't the password be directly sent to the JavaScript file? And ideally wouldn't this be done all on the php script server side so no one can just read the correct password from source?
There is no reason to check password client side - hash and salt on client side, decode and authenticate server side, then hash and salt for storage
Video Spam bad