Challenge 2 Explanation: Cup of JavaScript
Using JavaScript for client-side login pages is a very insecure practice; doing so can lead to exposing the usernames and passwords. Because the login form in Challenge 2 is processed client-side, you can view the source code and find the administrator’s password. When building a secure web application, you should always store and process login information on the web server, not on the client’s browser.
Below is a step-by-step guide of how to answer the questions and complete the challenge.
Much like the previous challenge, we begin by viewing the page source. Right-click on the page and select “View page source.”
Viewing the page source allows us to see the JavaScript function that handles signing in. On line 170, we see a comment indicating the beginning of the sign-in function; this is where we will focus our investigation.
On line 171, we see that the “buttonFunction()” starts. This is the function that processes the sign-in. On lines 181 and 183, we can see the username and password of the administrator, “admin” and “SuperSecretPassword.”
On line 262, the “buttonFunction()” is called when a user clicks on the sign-in button.
To complete this challenge, enter the username and password we found in the source and click “Sign In” and the flag will be displayed.