Client-side login check with hardcoded reversed password
Foundations web engagement: CyberHeroes login validated entirely in JavaScript; username and ReverseString password were recoverable from page source.
- Case files
- Client-side login check with hardcoded reversed password
Page source compared inputs to h3ck3rBoi and ReverseString("54321@terceSrepuS"); reversing yielded SuperSecret@12345 and a successful login.
Extracted credentials from ReverseString logic and authenticated.
Engagement summary
Page source compared inputs to h3ck3rBoi and ReverseString("54321@terceSrepuS"); reversing yielded SuperSecret@12345 and a successful login.
CYBERHEROES exposed SSH and Apache with a club login page. Authentication was implemented only in client JavaScript: if (a.value=="h3ck3rBoi" & b.value==ReverseString("54321@terceSrepuS")). Reversing the string produced SuperSecret@12345. Submitting those credentials returned the protected artifact — no server-side password verification.
Business impact
Client-only auth is not authentication. Anyone can read secrets from JS. Move checks to the server, hash passwords, and never ship credentials or reversible transforms in the browser.
Source recovery and login
Extracted credentials from ReverseString logic and authenticated.
SOURCE · login.js
login.js
if (a.value == "h3ck3rBoi" &
b.value == ReverseString("54321@terceSrepuS")) {
// grant access
}
// ReverseString → SuperSecret@12345OPERATOR · LOGIN
savvy@lab:~$ nmap -sV 10.48.153.105
22/tcp open ssh
80/tcp open http Apache httpd 2.4.48
savvy@lab:~$ curl -s http://10.48.153.105/login.html | grep -A2 ReverseString
h3ck3rBoi / ReverseString("54321@terceSrepuS")
savvy@lab:~$ python3 -c "print('54321@terceSrepuS'[::-1])"
SuperSecret@12345
Remediation
Server-side sessions after password verify (bcrypt/Argon2). Remove secrets from static assets; add CSP and integrity checks for scripts.