Javascript fun

Post by **Turbine** » Fri Oct 20, 2006 7:55 pm

Alright, look at your address bar, erase the current address up there, then type:
javascript:alert(document.cookie);

A text box will come up, don't copy&paste that here.

For fun do this, type:
javascript:alert("hello, I see you... run!");

now try this:
javascript:alert(browser=navigator.appName); alert(b_version=navigator.appVersion);
ouuuh.... tuche!

and:
javascript:document.bgcolor="I can't make the background of the forum look orange anymore!"

Don't post javascript:alert(document.cookie); result.
DO NOT! it can be misused

Post by **CitizenKane** » Fri Oct 20, 2006 8:02 pm

Post by **Turbine** » Fri Oct 20, 2006 8:03 pm

NO MAN!
erase that!! NOW!

The next person that sees that might not be as kind as me.

Post by **Foo** » Fri Oct 20, 2006 8:04 pm

Posts your session id, last-viewing timestamp, etc.

Don't post them.

Post by **Scourge** » Fri Oct 20, 2006 8:07 pm

What foo said.

Post by **Scourge** » Fri Oct 20, 2006 8:08 pm

Heh, double erased.

Post by **CitizenKane** » Fri Oct 20, 2006 8:08 pm

oh....i see

Post by **CitizenKane** » Fri Oct 20, 2006 8:09 pm

oh....i see

Post by **Turbine** » Fri Oct 20, 2006 8:09 pm

You also posted the first time; at the same time. scourge34.

Post by **CitizenKane** » Fri Oct 20, 2006 8:10 pm

ok yeah, im a bit lame when it comes to javascript. how exactly could that information have been misused? im genuinely interested.

Post by **Turbine** » Fri Oct 20, 2006 8:13 pm

OK that is the cookie that Q3W gives you.
And it is unique to you, and your computer.
Everyone gets a different one.

It contains your session ID.
Can be used to log in as you.

Post by **Foo** » Fri Oct 20, 2006 8:16 pm

CitizenKane wrote:ok yeah, im a bit lame when it comes to javascript. how exactly could that information have been misused? im genuinely interested.

A session id is a lump of text that serves as a one-time key your browser uses to access your account without needing to store your password plainly or have you re-enter your pass every time.

With a session key someone can make use of your account to post and do anything that doesn't require re-entering your password. Modern versions of most PHP software that uses sessions (like this, PhpBB) require re-entry of your password to make account alterations (password, profile etc) so the danger of a session hijack is only moderate.

But still, you don't want someone jacking your session then posting porn using your account. For example.

Post by **CitizenKane** » Fri Oct 20, 2006 8:20 pm

oh right...silly me!

Post by **Dave** » Fri Oct 20, 2006 8:54 pm

I'm sorry I clicked this thread

Post by **mrd** » Fri Oct 20, 2006 9:13 pm

That sesh ID # is rather long and fugly looking.

Post by **Turbine** » Fri Oct 20, 2006 9:36 pm

The whole thing is not one session ID.
There is a lot more stuff in there.

The Session ID looks like this
q3wforum_sid=a12b0c345d678e90f123g45678h9i0;

Post by **mrd** » Fri Oct 20, 2006 9:56 pm

I know. Would you not agree that a12b0c345d678e90f123g45678h9i0; is rather long and fugly looking?

Isn't there a way to lock sesh IDs to IPs, though?

Post by **Turbine** » Fri Oct 20, 2006 10:05 pm

No idea.
There should be.

When i get home I will do a test to see if Q3W uses a SID to IP check.