Jump to content


Photo
- - - - -

Unmask any password in any web browser


  • Please log in to reply
22 replies to this topic

#21 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 31 August 2009 - 04:19 PM


[...] yet they have better security for this stuff.

What makes you think that?


He's referring to the fact that you can't just change the type of the password fields with Javascript on IE. IE has some other interesting security features, like XSS protection you can turn on in IE 8. I wouldn't exactly call it the most secure browser out there though.

#22 duper

duper

    Dangerous free thinker

  • Members
  • 816 posts
  • Location:NYC

Posted 04 September 2009 - 01:54 PM

Although it's a slightly more involved exploitation technique, you can rule out any JavaScript idiosyncrasies by using an active proxy to rewrite the input tag's type field value from password to text.

#23 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 04 September 2009 - 03:37 PM

Slightly more useful would be automatically redirecting through a proxy using ARP spoofing. The only thing that remains unknown there is will the browser blindly put the password into an input text field with the same name, even if it's not a password field? I should think the browsers are smarter than that, but seeing how easy this was in the first place, I'm not so sure about that.




BinRev is hosted by the great people at Lunarpages!