Block input details from browser console or make it unreadable directly

Asked Jul 08 '18 at 23:28

Active Jul 08 '18 at 23:42

Viewed 272 times

I'm creating an XSS challenge and, if the user can show the alert() direcly in the page he can get the flag (password) to validate the challenge.

I have a problem, my code returns a console.log("password") so I obfuscated it but if the user go to the console of his browser and write "alert();", he will get the password of the challenge directly without finding by own.

My code is :

(function(proxy) {
      window.alert = function() {
      console.log("PasswordOfTheChallenge");
      return proxy.apply(this, arguments);
  };
})(window.alert);

I'm using https://obfuscator.io/ to obfuscate my code.

So is it possible to detect, if the alert() provides from the page direcly or if it's providing of the browser console direcly ?

PS: even if my code is obfscated, I still can input alert() int the browser console and the console.log() will retrun me the good password (readable).

edited Jul 08 '18 at 23:42

asked Jul 08 '18 at 23:28

Louis Hervé

2

Possible duplicate of [How can we know if a function is called from console or from source code](https://stackoverflow.com/questions/24966759/how-can-we-know-if-a-function-is-called-from-console-or-from-source-code) – Obsidian Age Jul 08 '18 at 23:40
I would just look at your code and get the password that way as you've hard coded it in the js. And probably wouldn't even have to deobfuscate as it itself probably wouldnt be obfuscated – Patrick Evans Jul 08 '18 at 23:41
Validate submissions on the server! – Ry- Jul 09 '18 at 00:30

Block input details from browser console or make it unreadable directly

0 Answers0