Hello,
We have created an online test program. It asks users for their name and email, and asks them a series of 3 questions. It is very important that the test taker NOT be able to (1) obtain a copy of the test questions and (2) obtain a copy of the test answers. I was wondering if anyone would be willing to give it their best shot. The address is: http://www.pbsrgvideo.com/email_test/frontloader.html. The most critcal aspect of the test is ensuring that the user can NOT obtain the correct answer from the Flash / PHP files.
If you are able to break it or save the questions / get answers from the program, I would be very interested in talking with you. I would sincerely appreciate feedback at web@pbsrg.com or replies to this topic. Thank you!!!!!
PHP - Flash - Can you hack this page?
Moderator: General Moderators
"We" are not "hackers", but if you do post Relevant php code, we can help you make it more secure.
I did poke around in your .swf file though.
frontloader.swf loads email_test_template.swf
Which calls email.php, and secure.php
Very annoying it kept erasing my clipboard : / (I multi task alot)
And you might want to change to not, instead of now.
All the Forum Names/Values
---------------
So If im correct, i could make a form
And fill out w/e i want and submit it.
I did poke around in your .swf file though.
frontloader.swf loads email_test_template.swf
Which calls email.php, and secure.php
Code: Select all
function onEnterFrame() {
System.setClipboard('You are now allowed to copy and paste from this test.');
}
And you might want to change to not, instead of now.
All the Forum Names/Values
Code: Select all
f1 = function () {
send_lv.rf1 = rG1;
send_lv.rf2 = rG2;
send_lv.rf3 = rG3;
send_lv.txtF1 = txtG1;
send_lv.txtF2 = txtG2;
send_lv.txtF3 = txtG3;
send_lv.txtF4 = txtG4;
};So If im correct, i could make a form
Code: Select all
<form action="http://www.pbsrgvideo.com/email_test/email.php" method="post">
rf1<input type="text" name="rf1" /> <br>
rf2<input type="text" name="rf2" /> <br>
rf3<input type="text" name="rf3" /> <br>
txtF1<input type="text" name="txtF1" /> <br>
txtF2<input type="text" name="txtF2" /> <br>
txtF3<input type="text" name="txtF3" /> <br>
txtF4<input type="text" name="txtF4" /> <br>
<input type="submit">
</form>
Last edited by Zoxive on Wed Nov 07, 2007 5:32 pm, edited 1 time in total.
Sorry about that. Most people when taking the test will only have the browser screen open. The final version will include text about closing the test window.Zoxive wrote:Very annoying it kept erasing my clipboard
The most critical aspects of the test are that users:
1. Can NOT electronically save the questions
2. Can NOT access the correct answers to the questions
I've had several people try and still have yet someone obtain the answers.
I'm actually the project manager for the test, and I think our programmer will be getting on with some additional information. Thanks very much for your time and input.
1. Forget about it. Print screen takes half a second, and software like TimeSnapper can do it automatically.pbsrg2 wrote: 1. Can NOT electronically save the questions
2. Can NOT access the correct answers to the questions
2. I haven't checked the code of your swfs, but I guess you want to check the answers on the client side. (If not, then I can't see your problem, you "just" need to secure the backend, hehe). For test answers that are typed text, you could keep a salted hash of the answer instead of the answer itself, but only provided that the answers are long enough. If the answers can be enumerated (what colour is the sky), or the question is pick-one-of-three, this can't be done.
In short, you can make these things hard, but you can't make them impossible. Maybe you should revise your requirements
Here's a sample of the hashing strategy: http://intelligence-test.net/part1/