A Challengers Handbook

by

Caesum

Javascript

Throughout these pages I will presume some level of knowledge, what I want to show is a few 'tricks' that will make you see a little more than you probably currently do. The first thing we will talk about regarding Javascript is viewing the sourcecode. There are several ways of viewing source code to web pages, presuming that you are using IE:

  • Right click, and view source. May not always work if the web page brings up some kind of prompt straight away then you may not get a chance to do it. Javascript can also disable this.

  • Retrieve the page from your cache. You should know where to find the cache and look through it. It can be useful. Mine is c:\documents and settings\administrator\local settings\temporary internet files\. Having just had a look I have 12500 files in the cache. The easiest way to find files in your cache is by search or by ordering by date just after refreshing your target page.

  • Use a URL. This is my personal favourite. Suppose your target page is something like http://www.google.com/ then simply type view-source:http://www.google.com/ in the address bar and wait for it to load. The resulting source should just appear in notepad. This happens before any javascript runs, so you can get straight to the source and see what it is doing.

    Now, on to Javascript challenges. Most simple Javascript challenges are about misdirection. For example pages with big blank areas in the source and a message that says 'HTML source hidden'. One of my favourites from this simple misdirection is the small piece of javascript that looks something like the following:

    <script src="JavaScript"><!--
    var pass;
    pass=prompt("Password:","");
    if(pass=="letmein") 
    { window.location.href="done.htm";
    }
    else
    { window.location.href="failed.htm";
    }
    --></script>
    

    In fact you can try it out here. So what is the pass ? Well it is not 'letmein', in fact the correct pass is 'sheep'! Now you might be thinking how on earth did that happen ? Well, its all misdirection. The first line says that the script is in a file called 'JavaScript', and the rest of what appears there is just a comment. So you need to look in the file called JavaScript to see the real source to the problem. In essence you should learn more than one lesson from this simple example. Its not just the silly javascript trick, it is about observation and understanding. With no understanding of Javascript you would never ever guess the answer or know what you were doing wrong. Even knowing Javascript inside out the first time you came across this little problem it would probably catch you out. So the answer here is to load up the JavaScript file in your browser and view the real sourcecode.

    So, the next lesson in Javascript misdirection is the old 'what variable am I ?' trick. This is basically where you add 2 and 2 and get 22 and not 4. Having said that you should have no trouble with this. Often this will be accompanied by further misdirection so that you may not realise that string concatenation is happening at a certain point rather than the expected integer addition.

    Finally we will just talk about getting values out of JavaScript challenges. So you have your html with some tricky javascript and you can't quite figure out what its done. You need to check some value of it at a certain point. The best thing to do here is save it on your hard drive and put in some code of your own. The key call to think about is 'alert'. alert(somevar) will pop up a box on the screen with the value that you want to look at. Take a look at this where I have inserted a couple of alerts to tell us values at certain points.

    Hopefully with the above tips you should be able to start digging around in some of the simple Javascript levels, and should have enough confidence to start messing about with some more complicated javascript levels. Generally speaking most javascript challenges are not much more sophisticated than what I have been talking about here. Just remember this: that if it runs in javascript then you have the full source, it runs on your computer and you can do whatever you like with it or to it.

    One of the nicest levels that I have seen had something along the lines of

    <script>
    <!--
    document.write(unescape("some horrible long string"));
    --></script>
    

    and that was all. The page decrypted its own source which contained more javascript and ran. One way to deal with such things is to open another window with something like

    <script>
    <!--
    msgWindow=window.open("","displayWindow","menubar=yes");
    msgWindow.document.write(unescape("some horrible long string"));
    --></script>
    

    and then you can just view the new windows source. Finally when you are really stuck it is worth visiting some reference pages like those at Netscape or at Sun.

    Only one Javascript book, it is excellent, although perhaps not so good for real newbies.

    Back to Contents