How to protect a <input type='password'/> from XSS?



  • Most sites having a sign in form have the following html element:

    <input type="password" />
    

    If I press F12 to open the debugger on chrome and type:

    document.getElementByName("password")[0].value
    

    this will retrieve the password. A hacker could write a XSS in which the password is read and sent to his server then log in my CMS. In Bank of America's website, the password's input value is shown as "secret", they have a solution to protect it. The real password is unaccessible, thus protected.

    What are some solutions to this?



  • The only reasonable solution, as commented multiple times, is to protect against XSS on the very beginning. You don't want to focus on the password box.

    A successful XSS can do any possible harm to the web page, not limited to sniffing the input box, but also to redirecting the login form to possibly anywhere else, social engineer an official endorsement (BofA detected a security flaw in your browser, hurry and download our extension is a very succesful malvertising).

    The browser is software under the user's control, so Developer Tools exist to help the (advanced) user take full ownership of the HTML document which is run on their end.

    I believe your approach is wrong for this reason. As soon as your login page cannot be contaminated by XSS, and as soon the user is not installing a keylogger/malware extension into their browser, you have no reason to protect the password box.

    Protecting from XSS is a totally different topic.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 3
  • 2
  • 2
  • 2
  • 2