I've created an Capture The Flag challenge for me and a few of my mates, and for the final challenge, you're goal is to log in as admin to a site. Now the site doesn't use any server side languages (since it's purposely insecure and I'd rather not take a risk). It's pretty much a challenge where you look around the admin's "social media page" and try to find hints on the password using steganography, cryptography, and straight up guessing. Now to ensure that the players don't cheat (since I have to use HTML and JavaScript), I have a simple script that if you try to login as admin, it encrypts it and matches it with the key. (if i'm being a bit confusing, src code is here). Wouldn't this be secure even though it is client side encryption? (Note that the username is encrypted in MD2 on purpose)
Asked
Active
Viewed 273 times
1
-
1[This page](http://jgae.de/sdaeng.htm) has a vaguely similar idea. The approach is secure, at least, if you use SSL and a strong password. It just turns out not to be particularly useful for most real-world applications. – paj28 Sep 15 '17 at 21:52
-
Alright, thank you! Mind putting this as an answer so I can give you the reputation you deserve? – The Gamer King Sep 15 '17 at 21:53
-
@paj28 and yeah, it wouldn't be that useful for real world application. Just made it for an excercise for my friend – The Gamer King Sep 15 '17 at 21:56
-
why can't i set a breakpoint on the code that compares the password hashes? – dandavis Sep 16 '17 at 20:26
-
What do you mean? And by I do you mean you or me? – The Gamer King Sep 17 '17 at 19:23
-
@dandavis, what did you mean? – The Gamer King Sep 18 '17 at 16:09