Web based keylogger test

See how your defences stack up against this simulated attack

https://ie.microsoft.com/testdrive/browser/mixedcontent

https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm

FF v3.6.11 - XP/SP2 - Admin

Using NoScript to toggle scripts on/off





If i test by seperately ONLY allowing - https://ie.microsoft.com - and then retest by seperately ONLY allowing - http://ie.microsoft.com - it didn't work ?

However if i allowed both at the same time it worked ?



I copied/pasted some text into the PW box, which didn't work



So directly entering data with scripting enabled works, but with scripting enabled & copy/pasting i was secure.

I got NO alerts from Prevx/Zemana or Anything else ?

*

overangry has a Prevx thread about it - www.wilderssecurity.com/showthread.php?p=1773983#post1773983 - but as it's not just specific to Prevx i thought it best to not go off topic and start this thread

 

Interesting post!!! I got no alerts either from spyshelter...prevx was very silently watching this

 

IE8 with the highest security template from Microsoft Security Compliance Manager failed.
I don't think Prevx / Spyshelter / Zemana would be capable of protecting from this.

hey Kernelwars does your Avast Free has "Web Shield" ON? did it block anything from this test?

 

Further discussion
https://www.wilderssecurity.com/showthread.php?t=285324

Thread reopened as was closed in error. Apology for inconvenience

 

OA Premium with Emsisoft AM, Win7/64, FF 3.6.11 set "run safer" on my test system was silent as well. I've yet to try the site on my other, NIS2011 setup, but I'm not optimistic.

 

PE Guard 2 fails as does the Firefox add-on Perspectives 4.0.

 

I was shocked to see keyscrambler pro fail. Can anyone test it against defensewall? or geswall?

 

that's bad news buddy let's see if some one test DefenseWall

 

Sorry for the late reply... I have been thoroughly mad.. Avast was silent as well.. But i dont know how the pro version will react with script shield on

 

J how did eset deal with it.

 

Actually Cloneman, IMO, copy/paste fails as well After you copy/paste, just hit one key on your keyboard and you'll see it already captured the copy/paste text

And Thanks Cudni for re-opening!

 

Geswall fails, so probably Defensewall and Sandboxie would fail as well.

only things that work is to verify that you actually have a legit https transaction (check certificate if you feel paranoid) or disable javascript.

 

How is opera handling this? Can anyone please test?

 

IE9 passes the test, while IE8 will pass it if you disable (or prompt) Mixed Content in the Security Settings.
https://www.wilderssecurity.com/showpost.php?p=1774024&postcount=19

 

Showed safe in the beginning, then the message changed to i was in danger.
And failed to protect. Current setup is in sig (Using Latest Chrome

 

Eset is silent -> FAILS.

 

I think this test is just useless. They added a browser feature that doesn,t exist in other browsers so they will fail the test with defaults. Just wait and see other browsers adding something like this too.

Also being something inside the browser, your security applications can,t protect against it. I will give an example. Can any security application intercept XSS attack in the browser? No, definitely not.

BTW the browser will tell you that it,s a mixed content page( http plus https).

 

There's 1 problem, Even if no-script does pass - thats cause you disabled scripting...If the site was legitimate then you'd need to allow the script to login, right?

 

Yes, and NOT only a legitimate www but a phish one too !

 

I've been re-thinking about this test.

1 - Can this be described as a "Man in the browser Attack" ? If so PSOL, at least, is supposed to protect against such things ! If it isn't, what's the official terminolgy for it ?

2 - Any www HTTP/HTTPS we need to enter a PW/User name etc on obviously already has our data stored somewhere in it's database, otherwise we couldn't log in. So it appears to me that this test is hardly stealing etc anything, as the www has our data already. Even if a www was a full SSL login, or not, the stored data might not be encrypted, so i'm thinking they can retrieve it locally at their end, if they wanted to ?

*

Copy/Paste re-test



Allowed scripts



Yes you're right I missed doing that Thanks

 

I agree with you.
As I have been saying in prevx forum.

It is not really that big a threat. It is really easy to spot it.
You will see that it IS mixed content with almost any browser.

And It is not something new.
Look at the date of the article Microsoft links.
http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html (February 2009)
http://37signals.com/svn/posts/1431-mixed-content-warning-how-i-loathe-thee (November 2008 )

And this is from article written almost 2 years ago....
As you can see, In 2008 both firefox and IE already had warning for mixed content.

no, it is not in the browser.
It is Man in the middle attack.

2- as I said it is man in the middle.

it theoretically can be exploited:
Simple example, lets say:
A) you are using public wifi and
b) login in to some sensitive site which for some strange reasons use mixed content on login page.
c) someone tampers data in this mixed page. He doesn't touch ssl connection , so certificate is still there. But he put malicious script into http connection.

But I dont think it is really that big of a threat.
a) why you are trying to login while using public wifi?
b) why the hell your bank (or other site) uses mixed content instead of full ssl? only benefit of using mixed content is:

Is your bank stupid? Does he want to use browser cache to speed up browsing but insanely decrease security? (due to caching of sensitive data+ this type of attack)...

Or to use google ads inside ssl page... (I will not even comment for this one. it is just stupid)

c) cant you see that something wrong with your browser? red skull? crossed https? crossed lock?

So, I think it is just a exploit which was there for years, but now it is making such a noise because of marketing trick by Microsoft.

I can not see the point of testing it against AV products....


P.S. in my opinion sending session cookies in non ssl connection is way way bigger threat which can actually be abused. ( and somehow it doesn't get half the spotlight as this "exploit")

P.S.2. Anyway, moving into full ssl encrypted internet seems a way to go.

 

Set Disable mix content for both Internet Zone and Trusted websites to
a) Enable -> Disable

You won't get the prompt Konota mentions (good old 'unsafe' IE8 passes ) with this fake https. I can't imagine a bank designing a safe tunnel with mixed content, so you can safely set it to disable. See picture with GPEDIT.msc disallowing mixed content.

Please read Aigle and Jav responses, it is as we say in Holland, a storm in a glass of water.

NB look at the system tray: only safe-admin and Windows FW-2way, no icons of security programs

 

Hi Kees, do you perhaps know of a way to disable mixed content in Firefox and Opera? In Firefox I found a warning you could turn on, but you can't let it load the HTTPS content only, in Opera there isn't even a warning.

 

No Sorry,

I am using IE8 and Chrome. IE8 has it build. Chrome has a extention which prevents entering unsafe passwords. Download here https://chrome.google.com/extensions/detail/mjpinemnkjlppmemjfabdaelpfgfjgkj

See it kicking in picture 1

You have to click options and manaully enter the domainname plus suffix, refesh page to surpress warnings, see pic 2

Regards

 

Here you go..