Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Exploits

Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

Christi Rogalski by Christi Rogalski
July 11, 2022 - Updated on February 23, 2023
in Exploits
0
new XSS attack steals browser credentials
22
SHARES
358
VIEWS
Share on FacebookShare on Twitter

Cross-site scripting, also known as XSS, attacks rank high on lists of common cybersecurity risks. It is the injection of malicious code into the web application to exploit its vulnerability. The web-based attack aims to take over end users’ accounts, hijack sessions, and masquerade as the victim, among other security threats.

You might also like

Plex media server seen exploited in the wild utilizing a 3 year old RCE

New TPM 2.0 exploit attackers to access or overwrite sensitive data

Google reports a rise in ransomware attacks

Though many web users are unaware of its threat, you may be exposed to an XSS vulnerability if you use the save credential feature available in most web browsers. This post will explore how XSS could exploit the browser autofill function to compromise your credentials saved in a web browser.

Analysis and the technique of this XSS attack

Almost every browser comes with an autofill function. For convenience, this feature automatically inputs your saved credentials. Sometimes, it is enabled by default in popular modern browsers like Chrome, Opera, Firefox, Internet Explorer, and others. Even worse, some browsers provide no option to disable this feature. To limit exposure, not saving personal data or ignoring the request when it pops up seems the best bet to avoid automatically inputting your credentials.

How does a browser storing data pose security risks and vulnerabilities? During XSS exploitation, attackers trick vulnerable web applications or sites into sending browser-side scripts, with users’ login details and personal data in the body of the page. With the browser compromised and having no way of validating or encoding the output, it fills and gives access to session cookies, data, and personal information.

Though the attack vector sounds straightforward, the success depends on several factors such as the browsers, autofill settings, and saved credentials for the origin. The user password managers, which often allow users to disable the auto-fill feature, also determine the success of an XSS attack.

Now, with more information online about the attack, users can guard against this attack vector. We tested the significant security risk of autofill, most likely enabled by default on your favorite browser, in a realistic HTTP environment to provide a deeper understanding.

Attack vectors on popular browsers

Firefox

On Firefox, a simple XSS attack can steal one set of credentials (password) added to an input field. However, the working payload doesn’t automatically fill two sets of credentials. It, however, matches the username to the saved credentials.

Dangers of Browser Autocomplete Image 2
Autocomplete XSS attack in Firefox, Source: Gosecure

Chrome

Users must first input the username field for Chrome to fill in the password field. There must be user interaction, either by clicking or by keyboard input before saved credentials are accessible.

Therefore, the XSS payload needs the client to perform an on-page event to execute and send the extracted credentials to the attacker’s server. It is worth noting that other chromium-based browsers like Edge and Opera behave in the same way.

xss attack working in chrome
Autocomplete XSS attack working in Chrome. Source, Gosecure

Differences between the popular browsers

Not only in their engines, but different browsers enforce different security features, including preventing auto-filling of credentials. Below is an analysis of popular browsers and their autofill features.

Firefox

Two major pros of Firefox are the options to disable the auto-fill and use password managers. However, user interaction with pop-up matching credentials for the origin is enabled by default.

Tor browser, another widely used browser with a Firefox engine, neither autofills nor requests to save passwords by default. Additionally, it blocks all scripts except when the user grants permission.

  • Option to disable autofill available
  • Autofill feature available
  • Auto-fill on exact match
  • It works the same on the mobile version

Chromium-based browsers (Chrome, Edge, Opera)

Though there are several chromium-based browsers, tests on Chrome, Opera, and Edge showed none have a disabled option. The browser auto-fills even if the “offer to save password” function is disabled. On the other hand, the mobile version of these browsers requests matching credentials for each field.

  • Have autofill feature
  • No option to disable autofill
  • Auto-fill on matching credentials
  • The Mobile version reacts the same way on Opera
  • Mobile versions are not the same on Chrome and Edge

Brave

Brave behaves differently from other chromium. Users of this browser run no risk of an XSS attack, considering it has no auto-fill function and requests permission to match a set of credentials via a pop-up.

  • No autofill function
  • No option to disable autofill
  • It does not autofill an exact match
  • The Mobile version behaves the same

Internet Explorer

Unlike the chromium-based version, Internet Explorer allows the disabling of autofill functions. If disabled, the ‘save credentials’ works no more.

  • The autofill feature is available
  • It auto-fills
  • Exact match credentials are also auto-filled.
  • No mobile version

Safari

Despite having the feature, Safari does not autofill. In addition, a pop-up containing the matching set only shows with interaction.

  • It has an autofill option
  • It does not autofill
  • No autofill of each match
  • The Mobile version is the same

Mitigation

Defensive techniques for developers

Solutions for web developers to prevent XSS attacks are limited. Though bypasses exist, a good Content-Security-Policy (CSP) header provides solid resistance. Strict HTML encoding, validation, and sanitization of all variables is also a sound defensive technique.

Defensive technique for Security Administrators

Disabling browser password saving via Group Policy Object (GPO) or Endpoint Manager provides an ideal solution for administrators. This solution stops the password-saving option in password managers.

Defensive technique for users

End users have two solutions for preventing a possible XSS attack. The first is using a free and open-source password manager like KeePass or commercial alternatives such as 1Password or Bitwarden. Secondly, ensure no possibility of an XSS attack without interaction by using a password manager that does not auto-fill or has a practical disable feature.

Conclusion

Despite the prevalence of the attack vector, it is pretty surprising most widely used browsers automatically fill in sensitive data or have no option to disable the function. We hope this provides insight for non-technical users to opt for a secure solution or to use a password manager.

Via: Gosecure
Tags: browserchromefirefoxsafarixss
Share24Tweet5
Christi Rogalski

Christi Rogalski

Christi began her InfoSec carrier at the Illinois Institute of Technology where she received her Bachelor of Science degree in Applied Cybersecurity and Information Technology. Her passions include learning about new threats in the security world, investing, and playing with her dog, Pablo.

Recommended For You

Plex media server seen exploited in the wild utilizing a 3 year old RCE

by Kyle
March 11, 2023
0
Plex RCE responsible-for lastpass breach

CISA, the cybersecurity and infrastructure agency, has included a severe remote code execution (RCE) vulnerability in the Plex Media Server, which is nearly three years old, in its...

Read more

New TPM 2.0 exploit attackers to access or overwrite sensitive data

by Paul Anderson
March 5, 2023
0
New TPM 2.0 Exploit

Two buffer overflow vulnerabilities have been discovered in the Trusted Platform Module (TPM) 2.0 specification, which could give cybercriminals unauthorized access to or the ability to overwrite sensitive...

Read more

Google reports a rise in ransomware attacks

by Paul Anderson
July 15, 2022
0
Google reports a rise in ransomware attacks

In the 3rd issue of the recently released, Threat Horizons, Google's Cybersecurity Action Team (GCAT) provides organizations with information about emerging risks and actionable mitigation. Bad actors have...

Read more

Citrix exploit CWE-284 allows hackers to reset admin password

by Christi Rogalski
July 8, 2022
0
Citrix CWE-284 CVE-2022-27511 exploit

A critical bug has been identified in the Citrix Application Delivery Management console (ADM) that, if exploited, could lead to a serious security breach including allowing the attackers...

Read more

Follina Exploit Being Deployed by Chinese APT Group TA413

by Kyle
June 3, 2022
0
Chinese APT TA413

A Chinese state-sponsored hacking group, given the call sign "TA413", has been identified using the new Microsoft Office zero-day exploit, Follina, to launch attacks. Microsoft has tagged this...

Read more
Next Post
Google reports a rise in ransomware attacks

Google reports a rise in ransomware attacks

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.