URL Injection

[DustinFain]

I have a login that I have to go through every day. All it does is asks me for my name and password. Is there a way that I can create something like [www.example.com&id="login"value="MYLOGIN"&id="password"value="MYPASSWORD"] so that I can make a link on my desktop to take me directly into the page without having to type my name/pass?

Here is the section of the website's source code with the login items:

<span class=loginFieldText>User Name</span><input AUTOCOMPLETE="off" type=text id="loginField" class=loginField name="login" size=15>
<span class=loginFieldText>Password</span><input AUTOCOMPLETE="off" class=loginField type=password name='password' size=15>

[traq]

is this _your_ site? that's the sort of feature that would have to be implemented on the server side. It's highly unsafe, however. it would be better to use password management software.

[djr33]

That's entirely possible if the form uses the method "get". That means the values from the form will be sent in the URL.
But if the form uses the method "post" then you can't send values in the URL.

There is a very very small chance that the form uses get. Post should be used for logins for a few reasons (security, and get is supposed to be limited to cases where you're actually requesting content based on the new URL, not to send information to change a setting such as a login).

What you have above will work if get variables will work. If not, then this method won't work.

It is possible that even if the form itself doesn't use get, you could still submit it that way, if the page receiving the login information is also looking for get info. But that's incredibly unlikely (and very stupid from a security perspective).


So in conclusion: that's probably not going to work.

The easier answer is to store your passwords in your browser so all you need to do is click the submit button. But since that code has "AUTOCOMPLETE=off" then you probably can't, by default, use your passwords that way-- for security reasons it's stopping exactly that.

You could try to get your browser to override or ignore that (I don't know if it's possible and the method would vary by browser).

The only other solution you have would be to use a custom Javascript when the page loads (this can be set automatically using Greasemonkey for Firefox, for example) that would either remove the "AUTOCOMPLETE=off" attribute or it would actually fill in those values.

But of course any of these methods is not very secure, even storing the passwords in your browsers. It's very easy to read those passwords if you know where to look, so make sure no one else (who you don't trust with your passwords) can look at your computer. As traq said, it's unsafe and you should be very careful about this.

[mburt]

If this isn't your website this can't be done. However, it can be done if you can find out: a) if the server is running PHP and b) if the server has "register_globals" on. Otherwise this is probably not going to happen.

Can't your browser save usernames and passwords?

[djr33]

mburt, did you read my post?

It's irrelevant why the server might accept the variables in the URL. In fact, "register_globals" won't guarantee it if the script is using $_POST['username'] rather than $username directly. And that's very unlikely. The only remotely likely possibility is if it is using $_REQUEST in case they want a flexible login system. None of that matters, though, because it's easy to check: the URL in the first post will work if GET variables (through whatever method) are supported. If not, then it won't work. No direct knowledge of the server is required and it's a lot easier to just check if that URL works than to try to figure out how the server works (unless you own the server, and still it's probably easier to just try the URL).


Just storing the username and password won't help because autocomplete is disabled by those inputs. You would need to find a way around that or use a browser that ignores it.

[mburt]

Chrome saves my username and password for these forums, maybe other browsers don't.

[djr33]

What? He didn't even say what site this is for. It's not DD (at least I don't think it is...). It's a general question (though applied to whatever specific site he's using).
Most browsers can store usernames and passwords. I know that IE, Firefox and Chrome do. I don't think that Safari can or at least it's disabled by default. Not sure about the others, but it's a fairly standard feature.

Regardless, even if a browser can store them, there are certain sites where they are not stored, and one method of doing that is to block it using the AUTOCOMPLETE="off" attribute as above. (I have no idea how effective that is or in what browsers, but I'm guessing it works in at least some of them.) I believe also that on HTTPS connections it may be disabled in most browsers.

[mburt]

Oh okay, I misread the question. However my comment was just to reveal that some browsers can store passwords (probably already common knowledge though).

I was also unaware that the autocomplete attribute set to off could prevent browsers from storing passwords, I thought it was just somebody looking for a quick fix and posting the site's code.

Well I guess you learn something new every day!

[traq]

strictly speaking, it doesn't "prevent" anything - it just notifies the browser that the site doesn't want you to use the autocomplete.

It shouldn't be used as a security feature, however, even though most browsers respect it (at least, by default). it was intended more as a warning when autocomplete is undesirable (such as a text fields that might be used several times during a visit, but are likely to need different entries each time).

[djr33]

That's true, traq. But it does effectively stop it from working in most circumstances. Do you know how to get around it? I've got a few annoying passwords I'd rather not remember, but I don't use them often enough to make it worth my time to figure out how to disable that...