Inside Technique : Hiding HTML/SCRIPT... I think it IS possible! : The Mechanics

The mechanics behind the server scripts is probably the easiest part. I'll quickly run down the process of what happens when Internet Explorer Runs hide.asp ( http://hideit.siteexperts.com/).

#1 A new ASP Session is established, an XML document is created and assigned to Session("passes").

#2 When hide.asp is requested, a new pass Element is added to the xml document contained in Session("passes"). The pass element has 2 attributes, guid contains a globally unique identifier (guid). timeout contains a datestamp represented in JavaScript Date.getTime() form set for (currentTime + 1 second). For now we'll ignore the Random() function and all the other client side JavaScript code. The important part is here. In essence this is what's generated:
< script id ="wtf" src ="hidden.asp?pass= <% =guid%>"></ script >

#3 Based upon the last statement, hidden.asp?pass=[guid generated from hide.asp] is called.

#4 The pass parameter is stored in guid

#5 The xml document is queried for a pass element with the guid attribute=guid.

#6 The element is found, then deleted so that it cannot be used again.

#7 The timeout timestamp is compared to the current time

#8 Next the user agent is queried to make sure it at least contains "MSIE 6"

#9 Lastly the HTTP Referer is checked to see if the referer is hide.asp.

#10 Since the made it through all the server side checks the real code is written to the Response. Of course then the client side scripting engine decodes it all and displays the alert().

<- Previous (The Code) Index Next -> (The Deception)

© 1997-2000 InsideDHTML.com, LLC. All rights reserved.