XSS abusing firefox password manager [url=http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/]As RSnake theorised[/url], XSS can indeed be made to steal the plaintext passwords, and just to be the first person to do it (afaik) I stayed up all night, going down a fair few dead ends, to complete it. Have a read of this: http://www.criticalsecurity.net/index.php?s=&showtopic=15791&view=findpost&p=92791 I didn't do it exactly like the blog post said. Firstly it logs the user out, so that the login form will appear for any further page loads. Then it adds an iframe to the current page. The src of this iframe is another page on the site that is vulnerable to xss (and since the user is logged out the login form appears on that page). The XSSed code on this page starts an interval to alert the contents of the passwords box. The vulnerable site's admin has contacted me and we'll fix the flaw later today after I've explained how it worked. The code is messy, but I don't care much. Unrelated: While I was playing about with that code I made this file: http://www.whiteacid.org/HTS/IE_bug.html IE (6 and 7) both cause errors on that page and firefox diesn't display it correctly either. The textfield shouldn't be blank, and if it is blank then the text below the textfield should also be blank. Does anyone have any idea what's going on there? http://sla.ckers.org/forum/read.php?2,131,131#msg-131 Tue, 18 Jun 2013 20:46:22 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?2,131,6650#msg-6650 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,6650#msg-6650 -------------------------------------------------------
> well in the process of trying to detect the
> password manager.. which my guess is that it's not
> possible .. i found what looks like a reliable
> firefox test.
> http://maluc.sitesled.com/fftest.html
>
> AFAIK you aren't able to change this behavior in
> firefox, and are unable to add an about:config
> file to a local proxy, invalid filename. A proxy
> could filter it obviously though, and
> greasemonkey.
>
> Should make a thread of all reliable browser and
> version tests, when i compile them together.
>
> -maluc

I had an idea and did my own test just for fun:
http://hannil.freehostia.com/check/check.html]]> hasse XSS Info Sat, 10 Feb 2007 01:36:07 -0600 http://sla.ckers.org/forum/read.php?2,131,6601#msg-6601 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,6601#msg-6601 WhiteAcid XSS Info Fri, 09 Feb 2007 06:38:46 -0600 http://sla.ckers.org/forum/read.php?2,131,6597#msg-6597 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,6597#msg-6597 -------------------------------------------------------
> i agree, but i'm not sure if there is a way to
> determine ahead of time, whether or not they use a
> manager .. so you would still have to logout those
> without managers atleast once
>
>
> -maluc
I was rereading this thread and suddenly this popped into my head.
Prior to the script injection, add a form and input named user_name or similar.

<form name="logtest"><input type="text" name="username"></form><script blah blah

The html will be loaded into the DOM, then with the script, prior to logging them out, you can check if the form logtest.username was populated by firefox/opera(If you can get them to execute the wand, or SE them into using a button like this http://operawiki.info/PowerButtons#retrievewand)/etc.]]> Kyran XSS Info Fri, 09 Feb 2007 00:16:44 -0600 http://sla.ckers.org/forum/read.php?2,131,2534#msg-2534 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,2534#msg-2534 WhiteAcid XSS Info Mon, 06 Nov 2006 15:18:47 -0600 http://sla.ckers.org/forum/read.php?2,131,2533#msg-2533 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,2533#msg-2533
After that: Can't u just call a new xmlhttp request in the iframe to a remote php file and send the userinput?]]> jungsonn XSS Info Mon, 06 Nov 2006 14:04:54 -0600 http://sla.ckers.org/forum/read.php?2,131,1461#msg-1461 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,1461#msg-1461 Kyran XSS Info Thu, 05 Oct 2006 10:28:13 -0500 http://sla.ckers.org/forum/read.php?2,131,1460#msg-1460 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,1460#msg-1460 rsnake XSS Info Thu, 05 Oct 2006 10:06:09 -0500 http://sla.ckers.org/forum/read.php?2,131,1448#msg-1448 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,1448#msg-1448 http://opera.freehostia.com/versioncheck.html
Should work with Opera 7.6+]]> Kyran XSS Info Thu, 05 Oct 2006 01:53:51 -0500 http://sla.ckers.org/forum/read.php?2,131,580#msg-580 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,580#msg-580 rsnake XSS Info Mon, 18 Sep 2006 10:15:39 -0500 http://sla.ckers.org/forum/read.php?2,131,579#msg-579 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,579#msg-579
Any thoughts?]]> Kyran XSS Info Mon, 18 Sep 2006 01:17:29 -0500 http://sla.ckers.org/forum/read.php?2,131,574#msg-574 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,574#msg-574 rsnake XSS Info Sun, 17 Sep 2006 13:27:56 -0500 http://sla.ckers.org/forum/read.php?2,131,564#msg-564 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,564#msg-564
not to mention safari.. although when the likes of opera/netscape/safari/etc each only have 1% of the market share, its often not worth the trouble..

-maluc]]> maluc XSS Info Sun, 17 Sep 2006 08:12:39 -0500 http://sla.ckers.org/forum/read.php?2,131,553#msg-553 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,553#msg-553 Kyran XSS Info Sat, 16 Sep 2006 15:33:32 -0500 http://sla.ckers.org/forum/read.php?2,131,552#msg-552 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,552#msg-552
it also is a false positive for the newest netscape alteast .. i'll try to refine it later today. On a side note, netscape also seems to support the chrome:// protocol, whereas opera does not.

-maluc]]> maluc XSS Info Sat, 16 Sep 2006 14:40:11 -0500 http://sla.ckers.org/forum/read.php?2,131,551#msg-551 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,551#msg-551
what version and OS did you run it on?

-maluc]]> maluc XSS Info Sat, 16 Sep 2006 14:17:36 -0500 http://sla.ckers.org/forum/read.php?2,131,550#msg-550 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,550#msg-550 Kyran XSS Info Sat, 16 Sep 2006 12:46:22 -0500 http://sla.ckers.org/forum/read.php?2,131,549#msg-549 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,549#msg-549 rsnake XSS Info Sat, 16 Sep 2006 11:57:56 -0500 http://sla.ckers.org/forum/read.php?2,131,544#msg-544 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,544#msg-544
Good work though.]]> WhiteAcid XSS Info Sat, 16 Sep 2006 04:23:03 -0500 http://sla.ckers.org/forum/read.php?2,131,543#msg-543 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,543#msg-543
AFAIK you aren't able to change this behavior in firefox, and are unable to add an about:config file to a local proxy, invalid filename. A proxy could filter it obviously though, and greasemonkey.

Should make a thread of all reliable browser and version tests, when i compile them together.

-maluc]]> maluc XSS Info Sat, 16 Sep 2006 02:54:11 -0500 http://sla.ckers.org/forum/read.php?2,131,537#msg-537 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,537#msg-537 rsnake XSS Info Fri, 15 Sep 2006 15:46:41 -0500 http://sla.ckers.org/forum/read.php?2,131,534#msg-534 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,534#msg-534
In regards to O.P., The textbox renders correctly for me in Opera.]]> Kyran XSS Info Fri, 15 Sep 2006 14:35:06 -0500 http://sla.ckers.org/forum/read.php?2,131,432#msg-432 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,432#msg-432 rsnake XSS Info Sun, 03 Sep 2006 20:59:05 -0500 http://sla.ckers.org/forum/read.php?2,131,431#msg-431 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,431#msg-431
for sites that allow auto-login via cookies, you're right that it's easy to just record their cookies and reset them afterwards to the logged-in values. So this should work well for sites like forums .. where an attacker would otherwise have to delete the cookies of a user, in order to force them to use the login form + form stealer once.

-maluc]]> maluc XSS Info Sun, 03 Sep 2006 20:41:12 -0500 http://sla.ckers.org/forum/read.php?2,131,427#msg-427 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,427#msg-427 rsnake XSS Info Sun, 03 Sep 2006 18:57:00 -0500 http://sla.ckers.org/forum/read.php?2,131,425#msg-425 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,425#msg-425
But applying that to all users.. you also succeed in repeatedly logging out those without the managers, everytime they view the XSSed page.. so the stealthiness is questionable

-maluc]]> maluc XSS Info Sun, 03 Sep 2006 17:29:11 -0500 http://sla.ckers.org/forum/read.php?2,131,424#msg-424 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,424#msg-424
i dont speak ActiveScript as a second language, but i'd assume you would have to hash the name and pass with a sessionid/salt to prevent an XSS from reading it in the redirect.

However, it's far easier to read the plaintext upon submission, by making a form stealer using the DOM - something i wrote last month to get the plaintext from the login of Invision PowerBoards (the SQL database only stores the md5 hash, which won't help you log into AdminPanel without bruteforcing the hash)

..but i always love to learn more ways to skin my neighbors cat ^^
-maluc]]> maluc XSS Info Sun, 03 Sep 2006 17:06:36 -0500 http://sla.ckers.org/forum/read.php?2,131,329#msg-329 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,329#msg-329
But to be clear, my intention definitely is not to pave the way towards any new attacks, but rather to explain the already existing holes and how they can be applied. I'm not out creating holes (writing hole ridden software) nor am I writing attack/scanning software for the same reason. Explaining the issue, however, is critical to fixing the holes, which is why demo software is key. You'll notice that not a single one of the vectors on the XSS Cheat Sheet actually steal cookies or otherwise. That part is not interesting to me. How the vectors bypass filters definitely is, though.]]> rsnake XSS Info Tue, 29 Aug 2006 10:38:36 -0500 http://sla.ckers.org/forum/read.php?2,131,326#msg-326 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,326#msg-326
Basically this technique allows you to target any website from any xss hole, not just the site with the vunerability. This means site A can be used to target site b without site C (the attackers) IP never accessing site B or even site A for that matter, and it doesn't just extend to firefox. it can be used anywhere where there is a remember my details feature.

Also supposing you can ammend the source Site B at runtime, what it to stop you from injecting a cookie stealer into the source of that. so, even it their login credentials aren't present, should they be already logged in you can captcha that data as well. Or even if you can't get their user details in clear text automatically submitting the form and then stealing the cookie.

@WhiteAcid and Rsnake - good work but i think you might have paved the way for a whole new phishing industry.]]> digi7al64 XSS Info Mon, 28 Aug 2006 23:17:14 -0500 http://sla.ckers.org/forum/read.php?2,131,294#msg-294 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,294#msg-294 Girzi XSS Info Mon, 28 Aug 2006 07:22:41 -0500 http://sla.ckers.org/forum/read.php?2,131,293#msg-293 Re: XSS abusing firefox password manager http://sla.ckers.org/forum/read.php?2,131,293#msg-293
Let's say I was trying to insert: 
<script src="http://example.com/file.js"></script>
which contained
alert('xss')
I would instead inject
<script>alert('xss')</script>
That way there is no problem about different domains.]]> WhiteAcid XSS Info Mon, 28 Aug 2006 07:10:57 -0500