Friday, January 13, 2012

Password extraction from Ajax/DOM/HTML5 routine – Poor programming calls


Login Ajax routine is an interesting place to check for variable definition and assignments with respect to "single DOM application"/HTML5/Web2.0 framework. If variables are not created with proper scope then can be accessed as global and contain interesting information like username, password, tokens etc. Interestingly we need to do lot of JavaScript analysis with Web 2.0, Ajax, HTML5 and Single DOM applications.

For example, here is a routine for login. It can be buried in one of the JS files but gets loaded on DOM at the point of call and remain there throughout application life cycle.

function getLogin()
{

gb = gb+1;
var user = document.frmlogin.txtuser.value;
var pwd = document.frmlogin.txtpwd.value;
var xmlhttp=false;
        try  { 
         xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
           // other code for XHR initialization
                         
        }
       
        temp = "login.do?user="+user+"&pwd="+pwd;
        xmlhttp.open("GET",temp,true);
        xmlhttp.onreadystatechange=function()
               {   
                // other code on state ready change                                          
                                       
               }      
        xmlhttp.send(null);
}

Here, temp variable is crafting URL and posting username and password for Ajax call. It can be part of POST if going through send(). “temp” variable is very loosely defined as global and can be accessed from the DOM.
It is easy to access those variables from DOM – Yes, need DOM based XSS but coding practice is poor over here. Payload to exploit the vulnerability…

for(i in window){
    obj=window[i];
     try{
            if(typeof(obj)=="string"){
                console.log(i);
                console.log(obj.toString());
            }
        }catch(ex){}
}

You will get “temp” variable with following value - login.do?user=foo&pwd=foobar.