Busting Password Managers: AJAX Logins

By Tim MalcomVetter, Paul Wowk ·

This is a continuation of our series on Busting Password Managers. Check out the first post here.

Hypothesis: If the username and password are submitted using AJAX, then browsers will not save passwords.

The Technique: Our theory is that browsers only identify passwords inside of typical, synchronous HTML form submit events. Our goal is to disguise the authentication request containing the username and password in an AJAX call. To test this out, we started with the default Visual Studio 2013 ASP.NET MVC C# project. The source code for our test is available on GitHub at https://github.com/pvwowkfn/AutoCompleteBlog/tree/AsynchSubmit.

Consider this example:

There are two things that should stand out. First, the “Login” button is not inside the form tags. This is so that the form is not submitted normally when the user clicks the button. Instead, authentication must go through a specific function called “submitForm()”. Second, the form tag contains an "action" that points toward a non-existing form handler. This is because the normal mechanisms to submit a form will not be used. Instead, this information is defined below in the following script which contains the "submitForm()" function.

In this script, there are multiple pieces of critical information. First, it obtains the values in the input fields and produces the POST body. This is normally done by the browser automatically when a submit button is clicked. The second part is the AJAX post request. This sends a request to the server that appears like any normal POST authentication request. However, the meat of this code is in the "done" function, which handles the success and failure results. Our example replaces all content in the Document Object Model (“DOM”) with the content of the server response, which will show if user authentication succeeded or failed. A simple redirect using window.location may work as well.

During testing, Chrome, Firefox, IE, Safari on iOS and Chrome on Android did not appear to detect a login form has been submitted, since they do not prompt to save passwords.

Successfully works on:

Yes

Yes

Yes

Yes

Yes

Previous Articles