Easy Brute-Force Web Password Cracking with HTML Applications

Posted 2008-06-17 in JavaScript by Johann.

Here’s something I did a year ago to help a friend who had forgotten a password.

I wrote an HTML Application (HTA) that would brute-force crack the login form on a website. This particular website used a four-digit number as a password.

HTML Applications

HTML Applications are a long-forgotten (?) technology introduced with Microsoft Internet Explorer 5 on Windows. An HTML Application is a web page whose code runs without security restrictions and can for example use all ActiveX controls available on the system. Of course, the same origin policy is disabled, too.

Automating web pages

Since the same origin policy that would prohibit cross-domain communication is disabled, my crack tried out all number combinations by filling out the login form and submitting it until a certain text was not present on the page.

Example Code

Download a demo HTML application.

It should work on Microsoft Windows in Internet Explorer 5 and greater. And no, despite the name, it does not do anything nasty.

If you look into the source, you’ll notice that there is not much of it. All I do is

  1. loading a web page in an IFrame,
  2. binding a JavaScript event handler to the onload event and
  3. accessing the DOM of the remote web page to submit a form or to look at the innerHTML property.

Bonus information

I thought that HTML Applications would make for a very interesting concept for content scrapers. If you would like to find out whether your website is framed in an HTML application, you can access the document.body.clientWidth property. If your web page is contained in an HTML Application, this property is 0.

5 comments

#1 2008-06-18 by Awesome AnDrEw

Unfortunately your blog does not want to allow my comment (perhaps it's too long). Being that I've just done quite a bit of experimentation with the HTA file over the past hour I have concluded that while it's not bound by the cross-domain policy and the rest of the security features as the browser normally is third-party resources within elements such as the IFRAME are. In other words the HTA document has access to the IFRAME and the DOM within it, but not vice versa. This makes it difficult to detect if the content is being accessed from an HTA file, because the clientWidth returns a value greater than 0, the parent location is not accessible, and unlike Microsoft Internet Explorer 7's MHT file local file system paths are not inadvertantly leaked to remote servers (HTTP GET requests made from MHT files to third-party images appear with a referrer pointing to the file:// protocol). Any ideas as to how it would be possible to prevent such an attack?

#2 2008-06-19 by Johann

Andrew,

thanks for the extra test. I did find that clientWidth was 0 in my tests. What version of Internet Explorer were you using?

If clientWidth doesn't work anda there's no other property that has an unusual value, it's going to be hard to detect this.

#3 2008-06-20 by Awesome AnDrEw

Since the contents of the IFRAME fall within the context of the browser's normal security policies Javascript "frame-busters" will not work, because they cannot access anything outside of themselves. The value returned by parent.frames.length is a constant 0, and so the rest of the statement never executes, and neither will code following "if (self.location != top.location){}". So as far as I can tell we've hit a roadblock, but I am willing to test whatever anyone can come up with.

#4 2008-06-25 by Awesome AnDrEw

I used Microsoft Internet Explorer 7 to perform each of the trials using the HTA file. Running the first few sets of tests I examined the possibilities created due to the application's elevated privileges. As you stated it completely circumvents the cross-domain policy in addition to other ActiveX security settings, which allow methods such as window.close() to execute without a confirmation prompt. All inline, or remote client-side scripts embedded within the page being loaded into the HTA's IFRAME however are bound by the cross-domain restriction, cannot access the parent document, and instead throw a "Permission Denied" or "Access Denied" error.
The HTTP GET request generated by the IFRAME is no different than if it had been created by a normal webpage, and the User-Agent does not provide any additional parameters to hint that the resources are being viewed using the file. Any images hotlinked from a remote server, and placed directly in the file drop the referrer header as well. So I am pretty much out of ideas as to how this would be possible to detect, and mitigate :-[.

#5 2008-06-25 by tm

try this it used to work if (self.parent.frames.length != 0)
self.parent.location="test2.html"

Subscribe

RSS 2.0, Atom or subscribe by Email.

Top Posts

  1. DynaCloud - a dynamic JavaScript tag/keyword cloud with jQuery
  2. 6 fast jQuery Tips: More basic Snippets
  3. xslt.js version 3.2 released
  4. xslt.js version 3.0 released XML XSLT now with jQuery plugin
  5. Forum Scanners - prevent forum abuse
  6. Automate JavaScript compression with YUI Compressor and /packer/

Categories

Navigation