Skip to main content

Busting Password Managers: AJAX Logins

October 02, 2014

This is a continuation of our series on Busting Password Managers. Check out the first post here.

Hypothesis:

If the username and password are submitted using AJAX, then browsers will not save passwords.

The Technique:

Our theory is that browsers only identify passwords inside of typical, synchronous HTML form submit events. Our goal is to disguise the authentication request containing the username and password in an AJAX call. To test this out, we started with the default Visual Studio 2013 ASP.NET MVC C# project. The source code for our test is available on GitHub at https://github.com/pvwowkfn/AutoCompleteBlog/tree/AsynchSubmit.

Consider this example:

AJAX 1

There are two things that should stand out. First, the “Login” button is not inside the form tags. This is so that the form is not submitted normally when the user clicks the button. Instead, authentication must go through a specific function called “submitForm()”. Second, the form tag contains an "action" that points toward a non-existing form handler. This is because the normal mechanisms to submit a form will not be used. Instead, this information is defined below in the following script which contains the "submitForm()" function.

AJAX 2

In this script, there are multiple pieces of critical information. First, it obtains the values in the input fields and produces the POST body. This is normally done by the browser automatically when a submit button is clicked. The second part is the AJAX post request. This sends a request to the server that appears like any normal POST authentication request. However, the meat of this code is in the "done" function, which handles the success and failure results. Our example replaces all content in the Document Object Model (“DOM”) with the content of the server response, which will show if user authentication succeeded or failed. A simple redirect using window.location may work as well.

During testing, Chrome, Firefox, IE, Safari on iOS and Chrome on Android did not appear to detect a login form has been submitted, since they do not prompt to save passwords.

Successfully works on:

Firefox: Yes

Chrome: Yes

Internet Explorer: Yes

Safari: Yes

Mobile: Yes

 

Previous Articles

Related Blogs

September 23, 2014

Busting Password Managers

As you may have noticed, web browser password managers have begun to take over. Until recently, a developer could simply add the "AutoComplete=off" at...

See Details

November 19, 2014

Busting Password Managers: Detecting AutoComplete

This password manager detection technique employs JavaScript and JQuery to determine if the keyboard was used to enter the password. If the user did n...

See Details

November 13, 2014

Busting Password Managers: Encrypting Passwords on the Client

Hypothesis: If passwords are encrypted (e.g. AES) on the client in JavaScript, then browsers will not save passwords. The Technique: Normally, it is i...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

May 23, 2016

Next Generation Identity and Access Management (Next Gen IAM)

Having spent the last 17 years in the identity and access management (IAM) space, I know two things are certain: Evolution is inevitable, and change i...

See Details

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

May 09, 2018

Application Security

Learn how Optiv can help protect your most critical enterprise applications from both internal and external threats.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.