Is it possible to add an "active login" (Firefox terminology for HTTP credentials) to a browser by using JavaScript? The JavaScript would simply give username and password to the browser. If it is possible: How?
The goal is to get rid of the popup a browser shows when it asks for HTTP credentials. It only shows the popup if it does not already know the credentials.
To do this, I'd like to show a HTML login form, let the user enter the credentials in it, and on submit pass them to the browser by executing some JS and then redirecting to the protected content.
You may try redirecting to a URL containing the username and password:
http://user:password#host/path?query
Note that due to various security restrictions, this may not always work, or generate security alerts.
Related
So basically my req is to hide 2 fields username and password in a form from viewing it in console log. So what i am planning to do is to listen to event console log and when it executes i remove the values from username and password.
How can i do it? i am also using jquery in my page.
Thanks
You can't do that, and you shouldn't try. Never expose sensitive data like passwords like this.
No you cannot hide these data, because javascript is client-side.
Despite of the advises you received, Facebook uses this system and expose in browser username and password by accessing https://www.facebook.com/login.php?login_attempt=1&lwv=110 when you try to connect, along with all inputs from your form. This procedure is often used before submitting for different reasons: verify email if it is not duplicate, how many login attempts were...
As long as you have SSL connection the only user that can see username, email or password in console is the one who enters these sensitive data in the form so it is not a threat.
So you know how you are presented with a login screen and then, you fill it out, and then the browser loads the next page? At this point, somehow the password manager bar pops up for LastPass, 1Password, or some other extension, asking if you want to save the password. How do they know you've just logged in successfully??
Forms are sometimes submitted and other times the js intercepts the form submit and sends AJAX.
The response comes back and may set a new cookie, but sometimes the existing session cookie continues to be used (allows session fixation attacks but some implementations do that).
A new location is loaded or reloaded but sometimes the javascript reloads a portion of the document instead
But somehow these password managers DETECT that I've logged into a site successfully! How? Is it because I entered something in a password field, and then some form was submitted or some network request was sent? But how do they know it was successful?
Anyone familiar with these password managers able to give some useful info?
The reason I ask is that I want to develop an extension that detects when you've logged in and somehow tries to extract your user id from the service. It is for the purposes of sharing your user id with friends automatically, and letting them know (with your permission) what sites you are using a lot.
Any hints on techniques to extract the logged-in user's id on the service would also be helpful.
They aren't actually aware of a successful login in most cases. They are aware that a form with a password field was submitted, and the response was a 200OK. This may still be a page displaying an error message.
As for extracting user IDs, I'm pretty sure you mean profile pages or something similar. That will have to be done on a site by site basis as sites will have their own APIs and route structures.
As someone already answered this question, I will agree with him.
They aren't actually aware of a successful login in most cases. They are
aware that a form with a password field was submitted, and the response
was a 200OK. This may still be a page displaying an error message.
Since browsers watch for the request having a password field in it and the response status, But still you can fool the browsers easily. To get to know about the logged in userid you definitely need backend support / api. It depends on the authentication frameworks used in the back-end. But you can get the form fields easily, but extracting / finding userid from the form fields is a quiet difficult task, In most cases, form will be having only two fields there you can manage to get the userid. But in some cases like banking sites they will send few dummy fields fool such tools, Also many fields will be encrypted in the client itself to protect man in the middle attacks. In some cases userid is different from email, So its difficult task.
They only detect if the form was submitted, and it a code 200 (OK) was returned. They don't necessarily know if you were logged in, but this method works on most websites. They might also detect if a new page was loaded afterwards, since a failed login doesn't usually redirect the user. I have, however, had a prompt to save an incorrect password before.
They can detect your current tab. and each HTML element of that page.
May we they have list of login page case to detect keywords like
login,username,forgot password. and check all keyword to identify this is login page.
They just ready page and even they can read your password (yes) .
If you made request from that page & response will be 200ok it means your password is correct.
Whenever to request to server with username and password the server checks these two entry into their database and the server will found your data it will return response code 200 and using AJAX success call back script will catch the response code and will show successful message.
and also return some sort of information you can store into localStorage of browser or into cookie for further use.
I have created a couple of pages static HTML and form: So when form is submitted it goes to second page.
Let's test
<form action="test1.html">
<input type="text" />
<input type="password" />
<input type="submit" />
</form>
</body>
Chrome don't bothered anything happened. While firefox has given a popup to save password even when form is submitted to an error page.
So firefox only looks for a form submitted with a password field and asks for save password popup box.
If want to create an extension which can check wheather user is successfully logged-in and then you want to ask for password remember popup. For that you have to check for server response. I couldn't create a dynamic page to to proof read it with browser example.
The application I'm working on relies on many popups. Those popups rely themselves on query strings. If someone can just type the url in the browser address bar, the page will throw an error as the query strings values are dynamically constructed.
function myFunction(id)
{
window.open("mypopup.aspx?id=" + id);
}
Is there a why to prevent the page from displaying if the requester of the page is not a Javascript? If someone type something like:
https://mycompanyname.com/path/mypopup.aspx
It shouldn't let the user do so. Or, at least check whether the requester is not javascript so I can display a message or redirect the user to a different page? Otherwise, without all those pieces of data needed to construct a request, the page will throw an exception.
Thanks for helping.
Validate the query string directly in myPopup.aspx, if something is missing just redirect or display a message.
Use the Request.QueryString collection to validate in myPopup.aspx.
There is no easy way to validate if the request came from javascript as far as I know. You could try creating a token to validate that the sender is the one you expect, but if you only need to validate the parameters, no need to worry about who is sending the request.
The page cannot differentiate how it was requested, if both requests come from a same browser.
However, you can include in query string to differentiate them.
For example,
window.open("mypopup.aspx?request=javascript&id=" + id);
If a user intentionally type in https://mycompanyname.com/path/mypopup.aspx?request=javascript, so be it. I won't worry about it.
Popups are browser windows too. So it will be tricky to check if the window requesting the page is normal window or popup.
You should restrict the users to see on what url the popup is being opened you can hide the address bar. So user can not copy or know the what's in the url.
window.open('/pageaddress.html','winname','directories=no,titlebar=no,toolbar=no,location=no,status=no,menubar=no,scrollbars=no,resizable=no,width=400,height=350');
Setup a token based validation. Make request to server(Ajax request) to get a random token(with one time validation mechanism and expire it), You can send the token in the query string and validate it on server if it's same issued token. Identify if the requested page have valid token(popup) otherwise deny the request or show error message. Think of how captcha works, you just need to do it programmatically.
Though it's also not the best solution as token information can be sniffed through network traffic tracker tools like fiddler but it's will work to prevent manual requests.
I have options to save/share/write on a page, which cannot be done unless they are signed in. Redirecting on click, to sign in page and bringing back can be done using cookies &/or passing URL query parameters (do let me know if there is a better way.
But, what about when the user goes through other pages?
like: trying to save --> sign in page --> forgot password page -->
I am not allowed to use flyouts. Please let me know the best way..
You should more completly learn technologies you are using.
Most convient way for all "keep-user-on-site" scenarios is COOKIE.
COOKIE is the only thing (and they are created for it) that live and send TO and FROM server on every page of SITE.
Cookies use DOMAIN based resolution so u can use single cookie not just for all pages of single domain, but for whole domain family.
But "forgot password" is not case of "keep-user-on-site". It's oppsite to this case. It's "we-know-that-it-is-not-user-for-now" - in this situation you always should prefer to use some temporal hashes in URLs that could be treated by your server as trusted.
Never mix them (cookies for long-live and urls for 'not-users'). When "we-know-that-it-is-not-user-for-now" pages are shown - all cookies, session headers and so on should be killed. At other if someone lost password, ask for new key on E-mail and then reset password - it could not cause LOGON operation and enter on site. You should redirect to logon page.
As you know, Facebook is filtered in many countries, and if we put a "Like" button in our page, they will see a "ACCESS DENIED" message form their internet provider instead of the Like button. so the question is, can I detect if Facebook is viewable by the user or not? so I just show the Like button if the users have access to Facebook and it's not filtered.
Thanks
Test if the domain www.facebook.com is accessible by loading the favicon.ico and if so, show the iframe:
<iframe src="http://www.facebook.com/plugins/like.php" id="fbfm" style="display:none">
</iframe>
<script>
var fbicon = new Image();
fbicon.onload = function() {
document.getElementById("fbfm").style.display = "";
};
fbicon.src = "http://www.facebook.com/favicon.ico?" + Math.random();
</script>
I guess you could set a very small width and height on the like button iframe, just enough for the button itself, and hope that any "ACCESS DENIED" message has enough padding not be visible in the iframe's viewport! :)
The alternative might be to "ping" Facebook, as in make an AJAX request and see what the response is. Hopefully any blocked response from an ISP would contain an HTTP 403 status code, or something sensible, but if not you'd have to scrape the return HTML and try yourself to determine whether you're seeing Facebook or an error page, then decide whether to render the like button or not.
My advice would be to use a service like ShareThis or AddThis. There is a chance that they aren't blocked in your country (you can test it before you use it with and without a VPN) and they give you an advantage that your users can share your website with friends on other portals that are available to them.
It would certainly be interesting for other people to know whether or not those services are available in countries where Facebook is blocked as many of them can't test it themselves.
Use the Facebook javascript library at: http://developers.facebook.com/docs/reference/javascript/
and use the FB.getLoginStatus(...) function to check and decide what you want your application to do. If they have logged in or not (connected or not_authorized) then they are logged into facebook and you can show your like button. If the status is unknown they haven't logged in yet but can see facebook.
If the facebook script does not load or return any value then facebook is probably blocked and you don't want to display your like button.
NOTE: You'll also need to create an app id with facebook to link your javascript to.