Demo: Retrieving Password from External Webpage using Javascript
An external script will try to get the entered data and display it in the list below. Additionally, the SESSION-ID is read and displayed. This proves, that an external script is capable of reading browser-stored-passwords (tested using Iceweasel 33.0).
The entered data is "sent" to my webserver to generate a PNG-graphic containing the entered password (displayed in the red box). This data is stored in the weblogs - so do not enter your real password ;-) This is done to show that the Same Origin Policy cannot protect you (see developer.mozilla.org/... to learn why).
@External hosting of JS: No, I will not include an external javascript file, but you can try if you want to find out. Just download this page locally and be sure, the scripts are referenced with their full path.
Status
- Javascript was not loaded yet.
- Entered password(keyup) is:
- Entered password(change) is:
- Entered password(click) is:
- Entered password(timer) is:
- Read session cookie: