-1

I am trying to create html form where a user (user is a red teamer, basically hacker) inputs a string which he got after solving some sort of challenge, and we have to validate that the string he got is correct or not.

The major problem i'm facing is that the string to which we have validate is "securepass", but any how it is getting revealed in the source code or in any file. I tried it saving in file "pass.txt" and then fetching it through javascript, but again the name of the file is getting revealed in the source code and user (hacker) can simply put the name of the file in the url and can access the file.

I also tried it doing through nodejs but again the problem is same, if i use some kind of authorization token then the user can simply see that in request and use that token to request for the file.

I am trying to do it without using any database, and if cannot be done without database effectively, then please suggest me some good database and free database to store a single string of nearly 6-7 letters.

desertnaut
  • 57,590
  • 26
  • 140
  • 166
Shiv Pratap Singh
  • 9
  • 2
  • What about storing the hashed string, such that it can't be decrypted? Then hash the user's string and see if it matches. – mykaf Apr 28 '23 at 18:51

1 Answers1

0

Whatever your write on JS is easy to read and understand. Even if you hash the password and then match hashes of the user's response with the hashed predefined correct answer, this whole logic will be exposed and can easily be hacked.

The only approach here is to encrypt your code itself. This process is called "obfuscation" and there are tons of tools (https://obfuscator.io/ for example) that can obfuscate your JS code to make it non-readable.

Bear in mind that even obfuscated code can be deobfuscated and hacked, but it will just take much more time and will require specific skills and experience from the hacker.

If you just need to hide some string, you can encrypt it using a simple algorithm and then decrypt it when needed.

For example, the string below looks unreadable until it is passed through the code that decodes it.

But again, in doing so, you need to take care of the code itself because it reveals the way how you decode the cipher.

console.log('$hA%eM5lX#l9io'.split('').filter((v, i) => i % 3 === 1).join(''))
RAllen
  • 1,235
  • 1
  • 7
  • 10