How to make a password system for challenges like rootme web [closed]

Tags: , ,



I’m making a website where you have to respond to questions. But the answers are not really secure.

I’ve already tried with Javascript Obfuscator but I’m not really satisfied with this method (easily hackable). Where/How can I store those answers?

I’m looking for a system like challenges on root-me or some.

If you have any advice or resources, please let me know!

Here is my Javascript code

var Answers = ['abc', 'abcd', 'abcde', 'abcdef']


function checkAnswers(){
    Student_answer = document.f1.studentAnswer.value;
    Teacher_answer = Answers[PageNum];

    if (Student_answer.length == 0 || Teacher_answer.length == 0) {
        Swal.fire ({
            position: 'center',
            icon: 'warning',
            title: 'You Must Enter An Answer',
            text: 'Try again',
            timer: 1500
        });
        return false;
    }
    if (Student_answer == Teacher_answer) {
        Swal.fire ({
            position: 'center',
            icon: 'success',
            title: 'Good Job!',
            text: 'Next anigma...',
            confirmButtonText: '<a href="index1.html" onclick="closepopup()" style="color:#d9d9d9; text-decoration:none">Next</a>',
          });
        } else {
            Swal.fire ({
                position: 'center',
                icon: 'error',
                title: 'Wrong Answer',
                text: 'Try again',
                timer: 1500
            });
        }
}

Answer

You could store the hash of the answer instead of the plaintext answer itself.

const answer = 'abc'
const encoder = new TextEncoder();
const data = encoder.encode(answer);
const hash = await crypto.subtle.digest('SHA-256', data);

When the user enters an answer you would hash their answer and if the hash matches the one that is stored then the answer is correct.

One might still be able to find the answer by looking up the hash on Google: to prevent this prefix all answers with a random string like R3pTgWu7gy4FsbH6 before hashing.



Source: stackoverflow