Tuesday, March 15, 2011

Semi social engineering stupid javascript trickery

If you've ever used javascript you'd probably already know this stupid javascript trick but, I'm gonna post it for those that don't and maybe a couple less people will stop leaving their password saved....
Okay off the bat common sense says that you should be cautious about clicking the checkbox that says remember my password but, this is another.

A login page in firefox  with firebug enabled.
Assuming I type in someuserfor my username and somepassword as my password my arbitrary form should look something like this.(*Note* Im using a special tool called firebug to show the html for the page.)and beneath it the html would vary but most of the sites I've seen would look something like this.
in such a case all I would need to do to get the value of the password field would be to do the following...
  1. View the source code of the page Locate the text box in code probably has a name or id with something like password or use firebug and right click inspect to get it for you. In any case it would look something like this. <input type='password' name='pwd' id='pwd' />
  2. Clear your url address at the top of your browser and type this in javascript:alert(document.getElementById("pwd").value);
  3. At this point you should be seeing the password in the hidden field. "somepassword"
  4. ???
    (actually hang around a place with publicly available pc's and wait for the unsuspecting computer illiterate person to leave their pc and follow steps 1-3 and do what you will with the account. What you do after that is your business...)
  5. Profit.

I am not endorsing this. Just throwing it out there because it annoys the crap out of me when I see people do this. Oh and ...

If ya don't know, now you know. Person!

No comments: