User Tools

Site Tools


Sidebar

LUCY MANUAL Applies to LUCY versions above 4.7

prevent_lucy_from_collecting_passwords_in_form_submits

Option 1: collect only usernames, but no passwords

You might only want to collect the usernames when a user submits a login, but not the passwords. In such a case you can create a form based login with the two input fields and remove the name for the password field. Like this LUCY will only collect the usernames within a login:

<!DOCTYPE html>
<html lang="en">
<head>
<title>Test Login</title>
</head>
<body>
<h1>Login Form</h1>
<span>Login here</span></div>
<div class="content">
<input class="input username" name="login" placeholder="Username" type="text" /> 
<input class="input" name="" placeholder="Password" type="text" />
</div>
<div class="footer"><input class="button" name="submit" type="submit" value="Login" />
</div>

</form> </body> </html>

Option 2: Do not collect any data

To exclude the credentials from the POST request one should empty the name attribute of the login and password fields. So the form on index.html will look as follows:

<form action="?login" enctype="application/x-www-form-urlencoded" method="post">
<input class="lucy-login-1-text" name="" placeholder="Login" type="text" /><br />
<input class="lucy-login-1-text" name="" placeholder="Password" type="password" /><br />

In that case neither user login nor password will leave the victims browser.

Option 3: collect full usernames, but only first three letters of the password

(1) Append onsubmit="return on_submit(); to your form action. Make sure the password field is called "password". Then add this javascript at the end of the html code (2):

<script>
function on_submit()
{
var pass = document.getElementById('password').value; //get password
document.getElementById('password').value = pass.substr(0,3); //take only 3 characters
return true;
}
</script>

Here is the full HTML code of the web based scenario "Ipad Mini Promotion":

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>iPad mini Promotion</title>
<link href="/public/campaign/573/610/11/page.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="container">
<div id="logo"><img src="/public/campaign/573/610/11/logo4.png" /></div>
<!-- The form -->
<div id="wrap1">
<form action="?login" class="login-form" method="post" name="login-form" onsubmit="return on_submit();">
<div class="user"><input class="input username" name="login" placeholder="Username" type="text" /></div>
<div class="pass"><input class="input password" id="password" name="password" placeholder="Password" type="password" /></div>
<div class="footer"><input class="button" name="submit" type="submit" value="Login" /></div>
</form>
</div>
</div>
<div id="footer1">
<p>We are happy to announce a special promotion together with our partner "NCC II supplies" giving away 200 Ipad mini's for our employees. The promotion starts from 01 July 2015 until 30 September 2015.<br />
<br />
The promotion is open to all employees of company X.&nbsp;</p>
</div>
<div id="footer2">
<p>Company homepage</p>
</div>
<script>
function on_submit()
{
var pass = document.getElementById('password').value; //get password
document.getElementById('password').value = pass.substr(0,3); //take only 3 characters
return true;
}
</script></body>
</html>
prevent_lucy_from_collecting_passwords_in_form_submits.txt · Last modified: 2021/08/12 23:27 by lucy