Hack my site

HI shiv_narr, i like the design and functionality , really nice, you will be glad to see i have 110 wpm , (i can not actually type that fast :) )

Hi Pinkponyprincess, thanks for your reply. Can you suggest any method to allow only genuine typists or prevent bot typists. :-)

Boom! Beat your high score pink pony princess! Got 120!

Greetings, shiv_narr!

Here is what I’ve seen wrong so far:
[list]
[] Style issue with the links at the bottom;
[] When you finish the game, at the part where it prompts you for your name, if you press “Cancel” you’re set the name of “null”. In my opinion, when you press “Cancel” it should not process and record your data;
[*] Put your JavaScript code in a stand-alone file and protect it. I myself couldn’t think of a way to break it right now, but if I had a little bit more time I’m sure I could think of something (i.e. setting the timer to a greater value).[/list]
Other than that you’ve done great job! I’ll make sure to post again if I’ve found anything.

I wish good luck to you and the site,
Elhitch

Hi Elhitch, thanks for you consideration. I appreciate your effort of testing. Can you explain in brief about the style issue? For quick typists, I am coding a catpcha script which typists are require to pass the test if they are genuine fast typists.
Till now I don’t think JavaScript Code can be broken. :-)

I think till now, score can only be increased using a typing bot.

On a second look, I don’t really know what I saw earlier. It was basically a couple of links along with tags, maybe my browser’s gone nuts for a while.

The developer console can easily be opened by first turning off JavaScript from the browser’s options, then turning it on again - this allows you to remove the paste-protection on the textbox (as well as other attributes) or create a single submit button which, after being clicked, could send the server any values the penetrator wishes to.

Also, I’ve just made notice that you could easily set the timer value to 0 (javascript:t3=0 in the address bar), which gives you 100% accuracy and the rank of Megaracer with a single letter. However, the good news are it doesn’t post the results for some reason.

EDIT: However, both of the problems I just stated could be (partially) solved by hiding your JavaScript code, which reveals far too much. It’s like “passing arguments to the hacker” they only need to think of a way to exploit them.

Yes Elhitch, we can never hide our source code. But we can make it too difficult to break it. Now I don’t think anything could happen with JavaScript code as it is not readable. :-)

If someone know the variable t3 he can easily take place in the Top Typists as I do ;)

Hi fkpuzat. H4X0r is it you. It was earlier, i think. Try to reach 150 or even 200 wpm if you can by changing the variable t3. :-)

H4X0r and Maxlockhart are I

Never mind you updated the site

I see you’ve fixed the issue regarding results posting, and I’m glad you’ve done so.

Another advice I could give you is to store all the values of typing speed in an array , then calculate the average speed and upload it instead of the WPM value in the end of the timer countdown.

Thanks MaxLockhart and Elhitch, I have updated the site footer. Inform me if want to change anything else. I m not a web designer so the design of site is just average. :-)

Ok I can’t make 210 wpm but 123 wpm is possible :p

Hmm.. fkpuzat, can you share how you scored 123 wpm. Any use of bot? :@

No bot, just javascript console using the t3 variable. Let’s say you want 120 wpm, you have to write 60 words.

Start writing the text, open javascript console and write this: t3=10000000; , take all your time to write 60 words and write this: t3=1;

@fkpuzat, I wonder how t3 variable is still there for you. I have already updated the javascript code, so there is no chance of having variable t3 and u can’t find it. If you can attain 123 wpm then u can easily go for 190 or above.

ctrl+U, ctrl+F, t3 ;)

I tried to get 210 wpm (writing 105 words) but it tell me I was a bot ^^

LOL, because you(fkpuzat) are… I hate this t3 variable. Now I will change it to …why should i tell you:D
Thanks to all who replied and used their time to help me to secure the application.
Today, I have solved various issues with your help… :D :) :D

You obfuscated JavaScript, didn’t you? Believe me, anything which is client-sided is exploitable. Someone can easily use Malzilla to decode JavaScript code, then read and exploit it.

You can go to Coding Level 1 and see how the timer works. I suppose that there are 2 timers: the client-sided one written in JavaScript and the other one written in PHP. When users submit their answer, the remaining time should be compared and be validated.

Hi freewind1012, yeah you are right. I know this. But the main reason was that 3 years ago i developed this typing script. Now I just want to use that script instead of developing new one again (yeah i m lazy). I should have kept server timer to prevent attacks but now i am just patching this code again and again. :p
But with this approach, I am also learning how to prevent javascript code from attacks if by any means… Still finding …

you could use some ajax to make sure the user is actually typing… just an idea

Yeah Pinkponyprincess, this method is great to use. So in coming days, i will modify the code. Thanks.

@shiv_narr: Fine. Obfuscation is the last thing we can do to prevent someone from easily reading JavaScript. I think that we should focus on improving the functionality/usability by giving more ideas.

@freewind1012, I think i will add more functionality, so that no one can easily cheat above 100 wpm. It’s almost over and will assemble to it, may be today. :D

Hi, everyone. I am back with a little surprise. I worked hard whole day and changed the script a little bit. I am very helpful to all who helped and suggested me and figured out the vulnerabilities in the website. I have seen many people got 199 wpm. So I have improved the script in much better way. Somethings are still missing like well design but I think the conclusion is that now no one can cheat on my site.. :D :) :p Thanks you all who replied.

ShivNarr

Not a bug but a suggestion.
Maybe you could try adding multiple choices of times to type for e.g 30 sec, 60 sec ect. Longer time = lower percentage error.

Thanks TheShadowman, I will see this after the whole site is secured. :p

Haha got 54 wpm with my cell phone ! Kinda good eh ? ?

Devils usually destroys something.. :p

199, today …
PMed with what i found.

This has to have been one of the most fun things I have ever done in my life. I definitely want to get into ethical hacking for a living.

@ADIGA, i think 199 is not possible. The upper limit of speed is 250 wpm because humans don’t type above 250 wpm.
Hi MaxLockhart, Thanks for you effort. I have changed the script to make it more secure by using image texts to type. I am sure this method is more secure than previous one. This forum has helped me to learn more things during developing an application.

:)

[quote=shiv_narr]i think 199 is not possible. The upper limit of speed is 250 wpm because humans don’t type above 250 wpm.[/quote]
Wut? 250 is the upper limit so it’s logically possible to get 199 wpm. Of course it’s not normal because @ADIGA has cheated somewhere. xD

I’m just loving this game of hacking.. wow!! what a great experienced. I will very much happy if someone exploits vulnerability and I just wonder how it has been done.. Please guys…