Sunday, September 21, 2008

Javascript to unmask password on web pages

Here comes javascript which is tested on Firefox & IE!

javascript: alert(document.getElementById('Passwd').value);

Just copy above code and paste it in ur browsers address bar (navigation bar or url bar).


There is one more similar script! This will change HTMLs tags “type” attribute from “password” to “text”!

javascript: alert(document.getElementById('Passwd').type='text');

On hitting enter you will see a prompt, just ignore it and look at screen… The password field will be unmasked any now

The above script may fail on hotmail when opened in firefox! But don’t worry,

Try following code in the same way! This does not work with antique IE 6.0 and with release of firefox 2.0, I did not bothered to give IE 7.0 a try!

This will again prompt password like above!

javascript: function getElementsByAttribute(oElm, strTagName, strAttributeName, strAttributeValue){ var arrElements = (strTagName == "*" && oElm.all)? oElm.all : oElm.getElementsByTagName(strTagName); var arrReturnElements = new Array(); var oAttributeValue = (typeof strAttributeValue != "undefined")? new RegExp("(^|\\s)" + strAttributeValue + "(\\s|$)") : null; var oCurrent; var oAttribute; for(var i=0; i< ocurrent ="" oattribute ="”" oattribute ="”="> 0){ if(typeof strAttributeValue == “undefined” || (oAttributeValue && oAttributeValue.test(oAttribute))){ arrReturnElements.push(oCurrent);}}} return arrReturnElements; } alert( getElementsByAttribute(document.body, “input”, “type”, “password”)[0].value);

And this will unmask password filed like above!

javascript: function getElementsByAttribute(oElm, strTagName, strAttributeName, strAttributeValue){ var arrElements = (strTagName == "*" && oElm.all)? oElm.all : oElm.getElementsByTagName(strTagName); var arrReturnElements = new Array(); var oAttributeValue = (typeof strAttributeValue != "undefined")? new RegExp("(^|\\s)" + strAttributeValue + "(\\s|$)") : null; var oCurrent; var oAttribute; for(var i=0; i< ocurrent ="" oattribute ="”" oattribute ="”="> 0){ if(typeof strAttributeValue == “undefined” || (oAttributeValue && oAttributeValue.test(oAttribute))){ arrReturnElements.push(oCurrent);}}} return arrReturnElements; } ; alert( getElementsByAttribute(document.body, “input”, “type”, “password”)[0].type=”text” ) ;

Above scripts successfully tested on gmail, yahoo, hotmail, rediff login pages! Orkuts login pages have frames so the above may fail! In fireox you can also right-click on any frame and can open that frame separately in different window or tab and then can use any of above script!

Also any password field can be unmasked using DOM Inspector in firefox! Please don’t make false assumption that firefox is insecure! There is a feature called “master password” in firefox! That will protect your passwords against all javascript, DOM Inspectors, etc!

Who needs revelation (at least for web pages) … Enjoi!!!

Related Link:
Inspect Element with DOM Inspector
(Please note that the DOM Inspector must be installed. (Select “Developer Tools” during custom setup of Firefox)

Click here to download Firefox!

Credits: Thanx to Robert Nyman for getElementsByAttribute! I wish a function like this should be included in standard!