Stealing passwords using XSS has been discovered long time ago, it mainly targeted the Firefox browser. Today in a boring afternoon weekend, I had the idea of a serious vulnerability targeting Google Chrome (I’ll test it and show it the next time) and I was thinking for the whole year that Firefox is not vulnerable to password theft anymore, especially with the new 3.5 version, but that’s not true, my test worked perfectly on Firefox and Chrome as well, but not Internet Explorer 8 thanks to it’s XSS filters as shown below.
I used this website http://testasp.acunetix.com/ to test the password theft, it’s totally legal to do some hacking stuff in there, so feel free to mess around with it :).
First of all you need to register a new account in there (just for test, they will do a backup every 24 hours so your data will be lost).
after that you’ll be prompted if the browser save the password for you or not, hit yes since that’s the whole point behind all that
now we are ready, we need to locate an XSS vulnerability on the website, if you have already worked with XSS before, you will head directly to the search page, where 99% of XSS is.
Go to the search page http://testasp.acunetix.com/Search.asp and type this in the search field: <script>alert(‘hi, am XSS’)</script> , this is the Url of the request http://testasp.acunetix.com/Search.asp?tfSearch=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
something popped on the screen? nice, that’s XSS, say hi!
Now everything is ready, we need just a little JavaScript code to load the login page, read the stored password and send us the passwords back! so easy isn’t it?
Well it’s simple, first of all we create a frame and embed it to the current document html, to make things easy we will use the framset element like this:
var frameset = document.createElement('frameset');
inside that framset we will append a frame that will hold the login.asp html like follows
var frame1 = document.createElement('frame'); frame1.setAttribute('src','login.asp');
frameset.appendChild(frame1);
then we append that frameset to the current HTML document
document.body.appendChild(frameset);
We are almost done now, if you wonder what we just did, embed that JavaScript in the XSS vulnerability we just mentioned to see the result, here is the link:
now you can see a sweet login page embedded with the search page html, like you see in this picture the firebug inspected HTML
Having the login page accessible with JavaScript, nothing left but extracting the stored password and login, this is the JavaScript handling that :
function showLogin()
{
alert('login : ' + parent.frames[0].document.forms[0].elements[0].value + '\npass : '+parent.frames[0].document.forms[0].elements[1].value);
}
Well it’s quite simple also, parent is pointing to the current window, frames[0] is the login page, document.forms[0] is the login form in the login.asp page and the elements collection are the input controls (login and password) as you can see in the following firebug screenshot:
well that’s it, this is the full JavaScript that is used to steal passwords:
var frameset = document.createElement('frameset');
var frame1 = document.createElement('frame');
document.body.appendChild(frameset);
frame1.setAttribute('src','login.asp');
frameset.appendChild(frame1);
setTimeout(showLogin,1000);
function showLogin()
{
alert('login : ' + parent.frames[0].document.forms[0].elements[0].value + '\npass : '+parent.frames[0].document.forms[0].elements[1].value);
}
You might notice the setTimeout(showLogin,1000); line, actually this makes the browser waits 1 second (1000 millisecond) before executing the showLogin function, this is because the login frame won’t load immediately when you embed it, so we wait a little before extracting information from it, for people with slow network speed, you may make the timeout a little more longer.
Pretty simple and easy, if you wonder what’s next, then you might be looking at XSS for the first time. at this stage you can consider you have the victim’s password and login already, you can for example create a dynamic page that intercepts these data and saves it to a database where you can see it. you are wondering how to do that? well, AJAX can do that, I’m not going to show how you can request your page after you take control of the passwords, but it doesn’t take more than 2 minutes Googling it :)
well that’s it, I was living for more than a year now thinking that Firefox fixed that problem already by not showing the login and pass before the user focus on the field and choose the login like in this picture, but I was wrong. You can brute force this by predicting the first letter of the login anyways, the only benefit is that it will take long to get the login information.
//The information contained in this guide is for educational purposes only I cannot be held responsible for anyone’s reaction to this post!