Page 1 of 1
Javascript fun
Posted: Fri Oct 20, 2006 7:55 pm
by Turbine
Alright, look at your address bar, erase the current address up there, then type:
javascript:alert(document.cookie);
A text box will come up, don't copy&paste that here.
For fun do this, type:
javascript:alert("hello, I see you... run!");
now try this:
javascript:alert(browser=navigator.appName); alert(b_version=navigator.appVersion);
ouuuh.... tuche!
and:
javascript:document.bgcolor="I can't make the background of the forum look orange anymore!"
Don't post javascript:alert(document.cookie); result.
DO NOT! it can be misused
Posted: Fri Oct 20, 2006 8:02 pm
by CitizenKane
Posted: Fri Oct 20, 2006 8:03 pm
by Turbine
NO MAN!
erase that!! NOW!
The next person that sees that might not be as kind as me.
Posted: Fri Oct 20, 2006 8:04 pm
by Foo
Posts your session id, last-viewing timestamp, etc.
Don't post them.
Posted: Fri Oct 20, 2006 8:07 pm
by Scourge
What foo said.
Posted: Fri Oct 20, 2006 8:08 pm
by Scourge
Heh, double erased.
Posted: Fri Oct 20, 2006 8:08 pm
by CitizenKane
oh....i see
Posted: Fri Oct 20, 2006 8:09 pm
by CitizenKane
oh....i see
Posted: Fri Oct 20, 2006 8:09 pm
by Turbine
You also posted the first time; at the same time. scourge34.
Posted: Fri Oct 20, 2006 8:10 pm
by CitizenKane
ok yeah, im a bit lame when it comes to javascript. how exactly could that information have been misused? im genuinely interested.
Posted: Fri Oct 20, 2006 8:13 pm
by Turbine
OK that is the cookie that Q3W gives you.
And it is unique to you, and your computer.
Everyone gets a different one.
It contains your session ID.
Can be used to log in as you.
Posted: Fri Oct 20, 2006 8:16 pm
by Foo
CitizenKane wrote:ok yeah, im a bit lame when it comes to javascript. how exactly could that information have been misused? im genuinely interested.
A session id is a lump of text that serves as a one-time key your browser uses to access your account without needing to store your password plainly or have you re-enter your pass every time.
With a session key someone can make use of your account to post and do anything that doesn't require re-entering your password. Modern versions of most PHP software that uses sessions (like this, PhpBB) require re-entry of your password to make account alterations (password, profile etc) so the danger of a session hijack is only moderate.
But still, you don't want someone jacking your session then posting porn using your account. For example.
Posted: Fri Oct 20, 2006 8:20 pm
by CitizenKane
oh right...silly me!
Posted: Fri Oct 20, 2006 8:54 pm
by Dave
I'm sorry I clicked this thread
Posted: Fri Oct 20, 2006 9:13 pm
by mrd
That sesh ID # is rather long and fugly looking.
Posted: Fri Oct 20, 2006 9:36 pm
by Turbine
The whole thing is not one session ID.
There is a lot more stuff in there.
The Session ID looks like this
q3wforum_sid=a12b0c345d678e90f123g45678h9i0;
Posted: Fri Oct 20, 2006 9:56 pm
by mrd
I know. Would you not agree that a12b0c345d678e90f123g45678h9i0; is rather long and fugly looking?
Isn't there a way to lock sesh IDs to IPs, though?
Posted: Fri Oct 20, 2006 10:05 pm
by Turbine
No idea.
There should be.
When i get home I will do a test to see if Q3W uses a SID to IP check.
