2007-04-22 16:56:06 -07:00
|
|
|
<!DOCTYPE HTML>
|
|
|
|
<html>
|
|
|
|
<head>
|
2007-05-16 03:02:45 -07:00
|
|
|
<title>Test for Login Manager</title>
|
2009-05-06 13:46:04 -07:00
|
|
|
<script type="text/javascript" src="/MochiKit/packed.js"></script>
|
2007-04-22 16:56:06 -07:00
|
|
|
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
|
|
|
<script type="text/javascript" src="pwmgr_common.js"></script>
|
|
|
|
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
|
|
|
|
</head>
|
|
|
|
<body>
|
2007-05-16 03:02:45 -07:00
|
|
|
Login Manager test: 360493
|
2007-04-22 16:56:06 -07:00
|
|
|
<p id="display"></p>
|
|
|
|
<div id="content" style="display: none">
|
|
|
|
|
|
|
|
<!-- The tests in this page exercise things that shouldn't work. -->
|
|
|
|
|
|
|
|
<!-- Change port # of action URL from 8888 to 7777 -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form1" action="http://localhost:7777/tests/toolkit/components/passwordmgr/test/formtest.js">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit</button>
|
|
|
|
<button type="reset"> Reset </button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- No port # in action URL -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form2" action="http://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit</button>
|
|
|
|
<button type="reset"> Reset </button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- Change protocol from http:// to ftp://, include the expected 8888 port # -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form3" action="ftp://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit</button>
|
|
|
|
<button type="reset"> Reset </button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- Change protocol from http:// to ftp://, no port # specified -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form4" action="ftp://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit</button>
|
|
|
|
<button type="reset"> Reset </button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- Try a weird URL. -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form5" action="about:blank">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit</button>
|
|
|
|
<button type="reset"> Reset </button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- Try a weird URL. (If the normal embedded action URL doesn't work, that should mean other URLs won't either) -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form6" action="view-source:http://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit</button>
|
|
|
|
<button type="reset"> Reset </button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- Try a weird URL. -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form7" action="view-source:formtest.js">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit</button>
|
|
|
|
<button type="reset"> Reset </button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- Action URL points to a different host (this is the archetypical exploit) -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form8" action="http://www.cnn.com/">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit</button>
|
|
|
|
<button type="reset"> Reset </button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- Action URL points to a different host, user field prefilled -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form9" action="http://www.cnn.com/">
|
|
|
|
<input type="text" name="uname" value="testuser">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit</button>
|
|
|
|
<button type="reset"> Reset </button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- Try wrapping a evil form around a good form, to see if we can confuse the parser. -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form10-A" action="http://www.cnn.com/">
|
|
|
|
<form id="form10-B" action="formtest.js">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit (inner)</button>
|
|
|
|
<button type="reset"> Reset (inner)</button>
|
|
|
|
</form>
|
|
|
|
<button type="submit" id="neutered_submit10">Submit (outer)</button>
|
|
|
|
<button type="reset">Reset (outer)</button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- Try wrapping a good form around an evil form, to see if we can confuse the parser. -->
|
2007-06-25 14:20:55 -07:00
|
|
|
<form id="form11-A" action="formtest.js">
|
|
|
|
<form id="form11-B" action="http://www.cnn.com/">
|
|
|
|
<input type="text" name="uname">
|
|
|
|
<input type="password" name="pword">
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
<button type="submit">Submit (inner)</button>
|
|
|
|
<button type="reset"> Reset (inner)</button>
|
|
|
|
</form>
|
|
|
|
<button type="submit" id="neutered_submit11">Submit (outer)</button>
|
|
|
|
<button type="reset">Reset (outer)</button>
|
|
|
|
</form>
|
|
|
|
|
|
|
|
<!-- TODO: probably should have some accounts which have no port # in the action url. JS too. And different host/proto. -->
|
|
|
|
<!-- TODO: www.site.com vs. site.com? -->
|
|
|
|
<!-- TODO: foo.site.com vs. bar.site.com? -->
|
|
|
|
|
|
|
|
</div>
|
|
|
|
<pre id="test">
|
|
|
|
<script class="testbody" type="text/javascript">
|
|
|
|
|
2007-05-16 03:02:45 -07:00
|
|
|
/** Test for Login Manager: 360493 (Cross-Site Forms + Password Manager = Security Failure) **/
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
function startTest() {
|
|
|
|
for (var i = 1; i <= 8; i++) {
|
|
|
|
// Check form i
|
2007-06-25 14:20:55 -07:00
|
|
|
is($_(i, "uname").value, "", "Checking for unfilled username " + i);
|
|
|
|
is($_(i, "pword").value, "", "Checking for unfilled password " + i);
|
2007-04-22 16:56:06 -07:00
|
|
|
}
|
|
|
|
|
2007-06-25 14:20:55 -07:00
|
|
|
is($_(9, "uname").value, "testuser", "Checking for unmodified username 9");
|
|
|
|
is($_(9, "pword").value, "", "Checking for unfilled password 9");
|
2007-04-22 16:56:06 -07:00
|
|
|
|
2007-06-25 14:20:55 -07:00
|
|
|
is($_("10-A", "uname").value, "", "Checking for unfilled username 10A");
|
|
|
|
is($_("10-A", "pword").value, "", "Checking for unfilled password 10A");
|
|
|
|
//is($_("10-B", "uname").value, "", "Checking for unfilled username 10B");
|
|
|
|
//is($_("10-B", "pword").value, "", "Checking for unfilled password 10B");
|
2007-04-22 16:56:06 -07:00
|
|
|
|
|
|
|
// The DOM indicates this form could be filled, as the evil inner form
|
|
|
|
// is discarded. And yet pwmgr seems not to fill it. Not sure why.
|
|
|
|
todo(false, "Mangled form combo not being filled when maybe it could be?");
|
2007-06-25 14:20:55 -07:00
|
|
|
is($_("11-A", "uname").value, "testuser", "Checking filled username 11A");
|
|
|
|
is($_("11-A", "pword").value, "testpass", "Checking filled password 11A");
|
|
|
|
//is($_("11-B", "uname").value, "", "Checking for unfilled username 11B");
|
|
|
|
//is($_("11-B", "pword").value, "", "Checking for unfilled password 11B");
|
2007-04-22 16:56:06 -07:00
|
|
|
|
2007-06-25 14:20:55 -07:00
|
|
|
// Verify this by making sure there are no extra forms in the document, and
|
|
|
|
// that the submit button for the neutered forms don't do anything.
|
2007-04-22 16:56:06 -07:00
|
|
|
// If the test finds extra forms the submit() causes the test to timeout, then
|
|
|
|
// there may be a security issue.
|
|
|
|
is(document.forms.length, 11, "Checking for unexpected forms");
|
|
|
|
$("neutered_submit10").click();
|
|
|
|
$("neutered_submit11").click();
|
|
|
|
|
|
|
|
SimpleTest.finish();
|
|
|
|
}
|
|
|
|
|
|
|
|
window.onload = startTest;
|
|
|
|
|
|
|
|
SimpleTest.waitForExplicitFinish();
|
|
|
|
|
|
|
|
</script>
|
|
|
|
</pre>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
|