0/ IntroXSS are everywhere, on a lot of websites. It has been called the most underrated security vulnerability.
On one hand, you can pop up an alert('PWNED') but it's not really worth to fear an alert() in your browser.
On the other hand, people tend to store Login/Password in the browser. You log on to intranet.corp and Firefox asks to save password. You click yes.
After a chat with @XeR, we figured that we can combine both to silently steal your credential with a simple XSS, without user interaction.
1/ Show me the code, or die()!Our login form for intranet.corp:
Log once, store password in browser:
The browser has saved the password. If you return to the login.html page, the user and pass are filled.
Attacker can now login to intranet.corp. Note that user doesn't need to be tricked to enter information in a fake form, or phished. The js code will nicely ask the browser to give him the login/pass.
3/ Best partsYou don't have any user interaction with this attack. The user doesn't have to put log and pass in a form, it just have to trigger the XSS .
This hasn't anything to do with cookies, so HTTPS or http_only won't help. We want the pass, we have the pass.
Moar fun, the user doesn't need to be logged in! If XSS is triggered, boom, credz are for attacker.
If you find a stored XSS on a site with many users, you'll raise your luck to get credz, just wait.
99/ OutroBe nice with others, and in case you wonder, I don't use the password manager of my browser.
Thanks for @XeR for the chat which lead to this.
8 times down. 9 times up!
 Finding the XSS is an exercise left to the reader