Case file

Client-side login check with hardcoded reversed password

Foundations web engagement: CyberHeroes login validated entirely in JavaScript; username and ReverseString password were recoverable from page source.

Foundations12 minWeb · Client-Side Auth · JavaScript
  • Page source compared inputs to h3ck3rBoi and ReverseString("54321@terceSrepuS"); reversing yielded SuperSecret@12345 and a successful login.

  • Extracted credentials from ReverseString logic and authenticated.

01

Engagement summary

Page source compared inputs to h3ck3rBoi and ReverseString("54321@terceSrepuS"); reversing yielded SuperSecret@12345 and a successful login.

CYBERHEROES exposed SSH and Apache with a club login page. Authentication was implemented only in client JavaScript: if (a.value=="h3ck3rBoi" & b.value==ReverseString("54321@terceSrepuS")). Reversing the string produced SuperSecret@12345. Submitting those credentials returned the protected artifact — no server-side password verification.

Business impact

Client-only auth is not authentication. Anyone can read secrets from JS. Move checks to the server, hash passwords, and never ship credentials or reversible transforms in the browser.

02

Source recovery and login

Extracted credentials from ReverseString logic and authenticated.

SOURCE · login.js

login.js

if (a.value == "h3ck3rBoi" &
    b.value == ReverseString("54321@terceSrepuS")) {
  // grant access
}
// ReverseString → SuperSecret@12345

OPERATOR · LOGIN

savvy@lab:~$ nmap -sV 10.48.153.105

22/tcp open ssh

80/tcp open http Apache httpd 2.4.48

savvy@lab:~$ curl -s http://10.48.153.105/login.html | grep -A2 ReverseString

h3ck3rBoi / ReverseString("54321@terceSrepuS")

savvy@lab:~$ python3 -c "print('54321@terceSrepuS'[::-1])"

SuperSecret@12345

Remediation

Server-side sessions after password verify (bcrypt/Argon2). Remove secrets from static assets; add CSP and integrity checks for scripts.