Page 1 of 1

PHP - Flash - Can you hack this page?

Posted: Wed Nov 07, 2007 2:09 pm
by pbsrg2
Hello,
We have created an online test program. It asks users for their name and email, and asks them a series of 3 questions. It is very important that the test taker NOT be able to (1) obtain a copy of the test questions and (2) obtain a copy of the test answers. I was wondering if anyone would be willing to give it their best shot. The address is: http://www.pbsrgvideo.com/email_test/frontloader.html. The most critcal aspect of the test is ensuring that the user can NOT obtain the correct answer from the Flash / PHP files.

If you are able to break it or save the questions / get answers from the program, I would be very interested in talking with you. I would sincerely appreciate feedback at web@pbsrg.com or replies to this topic. Thank you!!!!!

Posted: Wed Nov 07, 2007 3:38 pm
by Zoxive
"We" are not "hackers", but if you do post Relevant php code, we can help you make it more secure.

I did poke around in your .swf file though.

frontloader.swf loads email_test_template.swf

Which calls email.php, and secure.php

Code: Select all

    function onEnterFrame() {
      System.setClipboard('You are now allowed to copy and paste from this test.');
    }
Very annoying it kept erasing my clipboard : / (I multi task alot)

And you might want to change to not, instead of now.

All the Forum Names/Values

Code: Select all

f1 = function () {
      send_lv.rf1 = rG1;
      send_lv.rf2 = rG2;
      send_lv.rf3 = rG3;
      send_lv.txtF1 = txtG1;
      send_lv.txtF2 = txtG2;
      send_lv.txtF3 = txtG3;
      send_lv.txtF4 = txtG4;
   };
---------------

So If im correct, i could make a form

Code: Select all

<form action="http://www.pbsrgvideo.com/email_test/email.php" method="post">
  rf1<input type="text" name="rf1" /> <br>
  rf2<input type="text" name="rf2" /> <br>
  rf3<input type="text" name="rf3" /> <br>
  txtF1<input type="text" name="txtF1" /> <br>
  txtF2<input type="text" name="txtF2" /> <br>
  txtF3<input type="text" name="txtF3" /> <br>
  txtF4<input type="text" name="txtF4" /> <br>
  <input type="submit">
</form>
And fill out w/e i want and submit it.

Posted: Wed Nov 07, 2007 5:29 pm
by Weirdan
redirecting php errors to a log file would be nice idea too

Posted: Wed Nov 07, 2007 5:32 pm
by Benjamin
1. WHAT ARE YOUR HOBBIES?
2. WHICH IS THE CIRCLE?
3. 1+2=?

I wrote them down.

Posted: Wed Nov 07, 2007 5:51 pm
by pbsrg2
astions wrote:I wrote them down.
I chuckled when I read that. That and actually taking a photograph are things that are simply unprevetnable. However, the final version of the test will be (1) time limited and (2) over 100 questions.

Posted: Wed Nov 07, 2007 6:09 pm
by pbsrg2
Zoxive wrote:Very annoying it kept erasing my clipboard
Sorry about that. Most people when taking the test will only have the browser screen open. The final version will include text about closing the test window.

The most critical aspects of the test are that users:

1. Can NOT electronically save the questions
2. Can NOT access the correct answers to the questions

I've had several people try and still have yet someone obtain the answers.

I'm actually the project manager for the test, and I think our programmer will be getting on with some additional information. Thanks very much for your time and input.

Posted: Thu Nov 08, 2007 1:30 pm
by Mordred
pbsrg2 wrote: 1. Can NOT electronically save the questions
2. Can NOT access the correct answers to the questions
1. Forget about it. Print screen takes half a second, and software like TimeSnapper can do it automatically.
2. I haven't checked the code of your swfs, but I guess you want to check the answers on the client side. (If not, then I can't see your problem, you "just" need to secure the backend, hehe). For test answers that are typed text, you could keep a salted hash of the answer instead of the answer itself, but only provided that the answers are long enough. If the answers can be enumerated (what colour is the sky), or the question is pick-one-of-three, this can't be done.

In short, you can make these things hard, but you can't make them impossible. Maybe you should revise your requirements :) Why are they so important?

Here's a sample of the hashing strategy: http://intelligence-test.net/part1/