User Tools

Site Tools


prevent_lucy_from_collecting_passwords_in_form_submits

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
prevent_lucy_from_collecting_passwords_in_form_submits [2017/08/21 11:30] – [Option 2: collect full usernames, but only first three letters of the password] lucyprevent_lucy_from_collecting_passwords_in_form_submits [2022/04/07 19:59] (current) lucy
Line 21: Line 21:
  </html>  </html>
  
 +===== Option 2: Do not collect any data =====
 +To exclude the credentials from the POST request one should empty the name attribute of the login and password fields. So the form on index.html will look as follows:
  
-===== Option 2: collect full usernames, but only first three letters of the password =====+  <form action="?login" enctype="application/x-www-form-urlencoded" method="post"> 
 +  <input class="lucy-login-1-text" name="" placeholder="Login" type="text" /><br /> 
 +  <input class="lucy-login-1-text" name="" placeholder="Password" type="password" /><br /> 
 +In that case neither user login nor password will leave the victims browser. 
 + 
 +===== Option 3: collect full usernames, but only first three letters of the password =====
  
 {{ 3letters_.png?600 }} {{ 3letters_.png?600 }}
Line 28: Line 35:
 (1) Append onsubmit="return on_submit(); to your form action. Make sure the password field is called "password". Then add this javascript at the end of the html code (2): (1) Append onsubmit="return on_submit(); to your form action. Make sure the password field is called "password". Then add this javascript at the end of the html code (2):
  
-<script> +  <script> 
-function on_submit() +  function on_submit() 
-+  
-var pass = document.getElementById('password').value; //get password +  var pass = document.getElementById('password').value; //get password 
- document.getElementById('password').value = pass.substr(0,3); //take only 3 characters +  document.getElementById('password').value = pass.substr(0,3); //take only 3 characters 
-return true; +  return true; 
-+  
-</script>+  </script>
  
  
 Here is the full HTML code of the web based scenario "Ipad Mini Promotion": Here is the full HTML code of the web based scenario "Ipad Mini Promotion":
  
-<!DOCTYPE html> +  <!DOCTYPE html> 
-<html lang="en"> +  <html lang="en"> 
-<head> +  <head> 
- <meta charset="UTF-8" /> +  <meta charset="UTF-8" /> 
- <title>iPad mini Promotion</title> +  <title>iPad mini Promotion</title> 
- <link href="/public/campaign/573/610/11/page.css" rel="stylesheet" type="text/css" /> +  <link href="/public/campaign/573/610/11/page.css" rel="stylesheet" type="text/css" /> 
-</head> +  </head> 
-<body> +  <body> 
-<div id="container"> +  <div id="container"> 
-<div id="logo"><img src="/public/campaign/573/610/11/logo4.png" /></div> +  <div id="logo"><img src="/public/campaign/573/610/11/logo4.png" /></div> 
-<!-- The form --> +  <!-- The form --> 
- +  <div id="wrap1"> 
-<div id="wrap1"><!-- <span>LOGIN</span>--+  <form action="?login" class="login-form" method="post" name="login-form" onsubmit="return on_submit();"> 
-<form action="?login" class="login-form" method="post" name="login-form" onsubmit="return on_submit();"> +  <div class="user"><input class="input username" name="login" placeholder="Username" type="text" /></div
-<div class="user"><input class="input username" name="login" placeholder="Username" type="text" /></div>+  <div class="pass"><input class="input password" id="password" name="password" placeholder="Password" type="password" /></div> 
 +  <div class="footer"><input class="button" name="submit" type="submit" value="Login" /></div> 
 +  </form> 
 +  </div> 
 +  </div> 
 +  <div id="footer1"> 
 +  <p>We are happy to announce a special promotion together with our partner "NCC II supplies" giving away 200 Ipad mini's for our employees. The promotion starts from 01 July 2015 until 30 September 2015.<br /> 
 +  <br /> 
 +  The promotion is open to all employees of company X.&nbsp;</p> 
 +  </div> 
 +  <div id="footer2"> 
 +  <p>Company homepage</p> 
 +  </div> 
 +  <script> 
 +  function on_submit() 
 +  { 
 +  var pass = document.getElementById('password').value; //get password 
 +  document.getElementById('password').value = pass.substr(0,3); //take only 3 characters 
 +  return true; 
 +  } 
 +  </script></body> 
 +  </html>
  
-<div class="pass"><input class="input password" id="password" name="password" placeholder="Password" type="password" /></div>+ **Option 4: Adding parameters for collecting data in login forms during web-based attacks.**  
 +  
 +Sometimes there is a need to ask users for some extra information in the form where their credentials are supposed to be filed in and as a consequence, to upload received information. **This article is dedicated to adding new inputs in the form of the attack scenario and collecting credentials.** In web-based attacks LUCY is recording **ALL** data send back to the landing page in a form POST request. This article will help you to add more fields in your form and collect entered information. 
  
-<div class="footer"><input class="button" name="submit" type="submit" value="Login" /></div> +As you can see on the screenshot below, this form has two fields for entering the credentials (Login name and the Password). Let’s try to understand what does it consist of? 
-</form+
-</div> +
-</div>+
  
-<div id="footer1"> 
-<p>We are happy to announce a special promotion together with our partner "NCC II supplies" giving away 200 Ipad mini's for our employees. The promotion starts from 01 July 2015 until 30 September 2015.<br /> 
-<br /> 
-The promotion is open to all employees of company X.&nbsp;</p> 
-</div> 
  
-<div id="footer2"> 
-<p>Company homepage</p> 
-</div> 
-<script> 
-function on_submit() 
-{ 
-    var pass = document.getElementById('password').value; //get password 
-    document.getElementById('password').value = pass.substr(0,3); //take only 3 characters 
-    return true; 
-} 
-</script></body> 
-</html> 
  
prevent_lucy_from_collecting_passwords_in_form_submits.1503307841.txt.gz · Last modified: 2019/07/25 12:51 (external edit)