How to solve hacking password textbox element by changing source code?

  • (2 Pages)
  • +
  • 1
  • 2

25 Replies - 8060 Views - Last Post: 18 October 2012 - 05:15 PM Rate Topic: -----

#1 general07z  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 20
  • Joined: 18-February 12

How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 06:04 AM

Hello,


For login form we have to elements (Textbox) which is username and password for every website in general.

Anyway, with Google Chrome there is a tool called "Developer tools". using this tool we can change anything in the source code.

So for example this is the code for login:

<form action="login.php" method="post">
<label for="user">USERNAME</label>
<input name="user" type="text" value="" />
</p>

<p><label for="pass">PASSWORD</label>
<input  name="pass" type="password" value="" />
</p>

<p><input name="submit" type="submit" value="LOGIN" /></p> 




In this code we have two type of text-boxes which are "text" for normal text and "password" to change the input to (*****)


By using Google Chrome I can change the type of text-box from "password" to "text" then the password will appear to me :(



I tired:

1- Hiding the source code- but cannot hide it!
2- take the login code to different page - still appear!



How can I solve this problem?
and sorry for my English :(

Is This A Good Question/Topic? 0
  • +

Replies To: How to solve hacking password textbox element by changing source code?

#2 general07z  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 20
  • Joined: 18-February 12

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 06:12 AM

If you did not understand what I have said:
This is an example:

http://totallynoob.c...th-Chrome-Tools

OR these three images:

1-
Posted Image

2-


Posted Image

3-


Posted Image
Was This Post Helpful? 0
  • +
  • -

#3 Sho Ke  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 110
  • View blog
  • Posts: 250
  • Joined: 13-October 11

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 06:13 AM

View Postgeneral07z, on 17 October 2012 - 01:04 PM, said:

1- Hiding the source code- but cannot hide it!

HTML cannot be hidden; the browser is responsible for parsing the page's HTML, not the server, so trying to hide HTML source will be impossible.

Quote

2- take the login code to different page - still appear!

Do you mean changing the action attribute of the form?

There really isn't anything to worry about. When someone uses Chrome's developer tools or a plugin to edit HTML/CSS/JS code, the change only takes place on their browser. In other words, if a person using computer X modifies the HTML to change type="password" to type="text" , a person using computer Y is NOT effected in any way whatsoever.
Was This Post Helpful? 1
  • +
  • -

#4 general07z  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 20
  • Joined: 18-February 12

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 06:22 AM

Hello Sho Ke,


Thanks for your reply.

Yeah the changes will be only on their computer. But my lecturer does not want this to appear. He said I should not be able to see the password.

I really searched around a lot but I cannot get the solution because even Facebook and Google I can see the password. So they do not consider this as an issue.

What if using Javascript code? or Ajax ? is it possible to hide this HTML type="password" ?

This post has been edited by general07z: 17 October 2012 - 06:24 AM

Was This Post Helpful? 0
  • +
  • -

#5 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2889
  • View blog
  • Posts: 10,004
  • Joined: 08-August 08

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 06:29 AM

Javascript can be seen and altered by the user too. It's just a matter of how much they know and how much effort they're willing to put in. That's why it's so important to validate everything server-side. Never trust the user.
Was This Post Helpful? 2
  • +
  • -

#6 Sho Ke  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 110
  • View blog
  • Posts: 250
  • Joined: 13-October 11

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 06:34 AM

Nothing is going to stop someone from using developer tools to change the value of an attribute. Is your lecturer actually using dev tools to see if the password field can be changed like that? He would have a point if the password field is set to text and not password.

The purpose of having password fields' characters appear as asterisks(*) instead of real letters and numbers is to prevent people hovering over someone's computer to see someone's password as they type it in. Submitting a form with a text field instead of password field means nothing to the server.

Edit: And as CTphpnwb and myself said earlier, JS is also a client-side language. It too can be modified by the user. Also, keep in mind AJAX is not a stand alone language. AJAX is Javascript.

This post has been edited by Sho Ke: 17 October 2012 - 06:36 AM

Was This Post Helpful? 1
  • +
  • -

#7 general07z  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 20
  • Joined: 18-February 12

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 06:47 AM

What I was thinking is that maybe if I use Javascript. My lecturer may not understand Javascript. So I won't have problems when he tries to do something in my presentation day.

There is no way to encrypt the login form?
Was This Post Helpful? 0
  • +
  • -

#8 Sho Ke  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 110
  • View blog
  • Posts: 250
  • Joined: 13-October 11

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 06:50 AM

Again, Javascript is just as susceptible to client-side changes as HTML is. Really, security shouldn't be placed on the client side.

Is your instructor actually telling you that the dev tool "hack" is a security risk, or did he just say the password field shouldn't be type="text"?

For the record, encryption isn't very secure as opposed to hashing, Encrypted strings can be decrypted, but hashed strings can't be "unhashed". But again, neither of these should be done on the client side, those asterisks should pretty much be the only security you need until you start handling the information on the server side

This post has been edited by Sho Ke: 17 October 2012 - 06:54 AM

Was This Post Helpful? 2
  • +
  • -

#9 general07z  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 20
  • Joined: 18-February 12

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 06:55 AM

Yeah he is telling us that the dev tool "hack" is a security risk.

But I do not consider it as a security risk.
But you know we can not argue with the instructor else he will put eye on you while we present our websites.

This post has been edited by general07z: 17 October 2012 - 07:00 AM

Was This Post Helpful? 0
  • +
  • -

#10 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7564
  • View blog
  • Posts: 12,685
  • Joined: 19-March 11

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 07:04 AM

This has been pretty well covered, but just to be perfectly clear about this point:

Everything that the user touches, they can change. They can use local css to change the appearance of the page, they can use dev tools (inspector, firebug, whatever) to change the behavior of buttons and elements.
This is basically like making notes in the margin of your copy of a book you've bought. Nobody can stop them from doing it, and there's no reason they should want to.

The user changing the appearance or behavior of the password field on their local machine affects nothing you care about.
Was This Post Helpful? 3
  • +
  • -

#11 no2pencil  Icon User is online

  • Dic Head
  • member icon

Reputation: 5170
  • View blog
  • Posts: 26,858
  • Joined: 10-May 07

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 07:07 AM

View Postjon.kiparsky, on 17 October 2012 - 10:04 AM, said:

The user changing the appearance or behavior of the password field on their local machine affects nothing you care about.

Not to mention you can not use server side technology (php) to control client side (javascript/browser) events. It isn't possible.

Being a server side language, php prepares the code for client viewing. The browser receives the output code (html) & displays it. This is why you have browser compatibility issues, because FireFox, Internet Explorer, & Chrome (& others) all have their own idea as to the best way to handle client side code.

Thus the correct way to handle this is to set input type to password. If the client side is changing the type, there is nothing php can do to alter or prevent client side altering.

In the same token, think of it this way. Say the password is a sixteen digit number that you can not remember so you write it down. php is not capable of preventing you from writing it down. Thus, anything that happens beyond the server is not php's domain of responsibility, or control.
Was This Post Helpful? 2
  • +
  • -

#12 general07z  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 20
  • Joined: 18-February 12

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 07:12 AM

Quote

The user changing the appearance or behavior of the password field on their local machine affects nothing you care about.


I agree with you. But what to do. Our instructor did not agree.
Was This Post Helpful? 0
  • +
  • -

#13 no2pencil  Icon User is online

  • Dic Head
  • member icon

Reputation: 5170
  • View blog
  • Posts: 26,858
  • Joined: 10-May 07

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 07:16 AM

If your instructor doesn't understand client vs server side, he shouldn't be teaching a class on php.

Or it's possible you don't understand the project.

Either way, imo you should show this topic to your instructor for clarification.
Was This Post Helpful? 3
  • +
  • -

#14 jon.kiparsky  Icon User is online

  • Pancakes!
  • member icon


Reputation: 7564
  • View blog
  • Posts: 12,685
  • Joined: 19-March 11

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 07:19 AM

View Postgeneral07z, on 17 October 2012 - 09:12 AM, said:

Quote

The user changing the appearance or behavior of the password field on their local machine affects nothing you care about.


I agree with you. But what to do. Our instructor did not agree.



In that case I would respectfully ask your instructor what he would recommend.
And please report back, I'd really like to know what he knows that nobody else has yet grasped.
Was This Post Helpful? 3
  • +
  • -

#15 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 2889
  • View blog
  • Posts: 10,004
  • Joined: 08-August 08

Re: How to solve hacking password textbox element by changing source code?

Posted 17 October 2012 - 07:25 AM

Another possibility is that your instructor is trying to make you learn for yourself the difference between client and server side code. For some reason — probably because HTML is often mixed with it — it seems to be a very difficult thing to get beginners to understand. If I were teaching a class like this I might also have you look for a way to force the client side to hide the password. If you spend enough time trying to do it you're bound to learn that it can't be done!
Was This Post Helpful? 2
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2