XSS obtains the user's plaintext Password

Xeye Team

As a result of browser features, firefox and chrome are by default. IE8 is not supported by default. Others do not care about not testing.

When a user logs on, the browser prompts the user to remember the password:
1. For firefox, users have three options: Remember, do not record this site, and do not.
2. For chorme, the user will prompt "do you want Google Chrome to save your password ?", You have two options: Save the password and do not save the password on this site.
3. When the "username and password on the form" function of IE8 is enabled in the "auto-complete" setting, IE8 will pop up a window to remind you whether to remember this feature when logging on to the user.

In fact, these functions are similar to the normal form auto-completion function, but they are not the same. The key point is that the password is "top-level" privacy information, and the browser will have a dedicated security policy to protect the remembered password. For example, unlike normal forms, form information can be shared in different fields. On the Web layer, since it is impossible to violate the same-origin policy, it is only necessary to consider the XSS method. XSS has infinite power at this time.

These three browser security policies are somewhat different and interesting. Let's first look at firefox. The reminder that appears after login, many people will select "remember" for convenience ":

After exiting, the browser will remember the user name and password:

PS: Well, the above two pictures have moisture :). People who understand them will know that they are different from each other. I will not change the picture if I depend on them.

After the form containing the user name and password is rendered, the browser will automatically fill in the value. The password is displayed as an asterisk and cannot be seen by directly viewing the source code. However, you can use the DOM operation to obtain the asterisks password value. For example, in a simple test, enter:

Javascript: alert (document. getElementsByTagName (form) [0]. getElementsByTagName (input) [1]. value );

Run the command. The result is as follows:

In actual attacks, if an XSS vulnerability exists, the simple POC needs to be as follows:

Window. onload = function (){
Alert (document. getElementsByTagName (form) [0]. getElementsByTagName (input) [1]. value );
}

In actual attacks, if the user is logged on, you can use CSRF to log out and then perform the attack. The above TIP can make our final attack more effective to a certain extent.

Chrome and firefox are just a few clicks. The Design of IE8 is better. Even if IE8 remembers your username and password, after rendering the entire page, IE8 does not directly fill in the corresponding username and password form item. However, you need to enter the user name first, and the asterisks and passwords are displayed only when the focus is displayed in the password form. However, you may continue:

Javascript: alert (document. getElementById (username ).Value = admin); Document. getElementById (password ).Focus ();

I did not test the actual attack, but I think it is okay :)