Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
getting username and pssword saved in the browser
Posted by: n0
Date: September 29, 2007 10:35PM

I saw this nice java script code that can reveal passwords written in input boxes
this is usefull if you have password saved in your browser and you want to retrive it.

javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f.type.toLowerCase() == "password") s += f.value + "\n"; } } if (s) alert("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})();

so I was wondering if it is possible to use this technic to open known sites like gmail and so in iframes or popups and get the password saved by the user.

I tryed to write something (not much of js expert) that tries to access get it form gmail I linked to gmail logut page so if the user is logged he will be logout and transferd to the login page where the password will be available.

the problem is I couldn't access anything inside the document object of the iframe or the popup and got some error not allowing me to access this object.
I was wondering if there is any way to do it , and what technic are google using
to prevent it (if they are) or is this kind of block is doen by the browser

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Date: September 30, 2007 01:35AM

The error you are getting is because of the <a href="http://en.wikipedia.org/wiki/Same_origin_policy"/>same origin policy</a> in javascript. The common way to defeat this is injecting javascript into the website you are trying to view. This is called <a href="http://en.wikipedia.org/wiki/Cross-site_scriping" /> cross site scripting</a> and has been under alot of study recently, mainly because of a MySpace worm called <a href="http://en.wikipedia.org/wiki/Samy (XSS)"/>Samy</a>. The admin of this site, in conjuction with several other well known security researchers have actually written a book precisely on the subject. (<a href="http://www.amazon.com/Cross-Site-Scripting-Attacks-Exploits/dp/1597491543" />Here it is on Amazon</a>) XSS simply needs to be on the same domain as the website you are trying to targeting because, again, of how Javascript works.

In relation to Gmail in particular in the last week a huge amounts of exploits relating to Google and Gmail have been found, if I remember correctly, 1 XSS on the Google domain and 2 Gmail related exploits.

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Posted by: Anonymous User
Date: September 30, 2007 02:44AM

On a side note about the Gmail "exploits" which are basically CSRF's: Most of them are known, only not much written about. About every popular website is vulnerable to this, Facebook, Winlive, iGoogle (yes ALL of Google) including this forum.

And since it is CSRF it can be done, cause the user does it.

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Posted by: Venom00001110
Date: October 12, 2007 02:38AM

Main problem while stealing the username and password is that you normally try to access the DOM of the hidden iframe immediately. It is important that you wait some time before reading the input-fields. The Browser and the password manager need some time to fill the fields. Use a "setTimeout" to invoke a function reading the values after a few seconds.
That was the main issue when I tried it first.

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Posted by: w0ts0n
Date: November 28, 2007 09:27AM

Ok so I added this to a html file, but what I don't get is how you would use this? Is there some sort of add on to your web browser to make this run on the site you are using?

How would you make an Iframe for google is it via blogspot.. I'm new to this but it's all very interesting.?



Edited 1 time(s). Last edit at 11/28/2007 09:30AM by w0ts0n.

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Date: November 28, 2007 10:28AM

You can make a bookmarklet/favorite out of the Javascript code he provided, and it simply loops through the INPUT boxes on the page and then retrieves the contents if they are masked. Alternately you can just view the source.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Posted by: w0ts0n
Date: November 28, 2007 10:41AM

I'm lost.. How does booking marking loop it? I have bookmarked the file (I uploaded it to www.freeringdings.com/test.html but nothing happend.

Excuse my stupidity but I'm farly new and I'm trying to build up some knowledge.

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Date: November 29, 2007 06:04PM

It's not working because you are not supposed to make an HTML page out of it (this wouldn't work well in a real XSS situation involving an embedded frame as it'd violate the cross-domain policy as well as just being awkward). What you need to do is to make a bookmark/bookmarklet/favorite out of the following:

javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f.type.toLowerCase() == "password") s += f.value + "\n"; } } if (s) alert("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})();

Now take the above script, make sure it's on a single line (word-wrap tends to screw the syntax up), and create a new bookmark from it. Assuming you are visiting a website or local HTML file containing a masked INPUT field (as in the contents have been hidden from plain-view with asterisks or dots), and that it contains some actual data you simply select the bookmark, and it executes the script. Again though you can always just view the source if there is something saved in the INPUT element. I think I've only come across this on certain router settings and perhaps a few websites under the "change password" area.

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Posted by: w0ts0n
Date: November 30, 2007 03:39AM

Doh'

That was so obvious!! Thanks for the help.

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Posted by: KonTroL
Date: November 30, 2007 11:04PM

http://www.raymond.cc/blog/archives/2007/07/13/easily-show-the-contents-of-password-fields/

=======================
http://www.hackosis.com

Options: ReplyQuote
Re: getting username and pssword saved in the browser
Posted by: birdie
Date: December 01, 2007 04:16PM

I haven't read all the above comments, but to be able to steal passwords like that, you need an xss flaw in the domain. Or else your javascript will not have access to the variables.

Options: ReplyQuote


Sorry, only registered users may post in this forum.