Skip to content

Commit

Permalink
added arbitrary check for password in form
Browse files Browse the repository at this point in the history
  • Loading branch information
@twocanoes
twocanoes committed Jul 21, 2022
1 parent 5cd70f0 commit 9d1dada
Show file tree
Hide file tree
Showing 6 changed files with 173 additions and 46 deletions.
4 changes: 4 additions & 0 deletions XCreds/MainController.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ class MainController: NSObject {
}

guard let tokens = tokenInfo["tokens"] as? Tokens else {
let alert = NSAlert()
alert.addButton(withTitle: "OK")
alert.messageText="Invalid tokens or password not determined. Please check the log."
alert.runModal()
return
}
if tokens.refreshToken.count>0 {
Expand Down
2 changes: 1 addition & 1 deletion XCreds/PrefKeys.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
import Foundation

enum PrefKeys: String {
case clientID, clientSecret, password="local password",discoveryURL, redirectURI, scopes, accessToken, idToken, refreshToken, tokenEndpoint, expirationDate, invalidToken, refreshRateHours, showDebug, verifyPassword, shouldShowQuitMenu, shouldShowPreferencesOnStart, shouldSetGoogleAccessTypeToOffline, passwordChangeURL, shouldShowAboutMenu, username
case clientID, clientSecret, password="local password",discoveryURL, redirectURI, scopes, accessToken, idToken, refreshToken, tokenEndpoint, expirationDate, invalidToken, refreshRateHours, showDebug, verifyPassword, shouldShowQuitMenu, shouldShowPreferencesOnStart, shouldSetGoogleAccessTypeToOffline, passwordChangeURL, shouldShowAboutMenu, username, customURL, customPasswordElementID
}
func getManagedPreference(key: Preferences) -> Any? {

Expand Down
105 changes: 66 additions & 39 deletions XCreds/WebView.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,22 +87,51 @@ extension WebViewController: WKNavigationDelegate {
public func webView(_ webView: WKWebView, decidePolicyFor navigationAction: WKNavigationAction, decisionHandler: @escaping (WKNavigationActionPolicy) -> Void) {
TCSLogWithMark("DecidePolicyFor: \(navigationAction.request.url?.absoluteString ?? "None")")


let customURL = UserDefaults.standard.value(forKey: PrefKeys.customURL.rawValue)
let customPasswordElementID = UserDefaults.standard.value(forKey: PrefKeys.customPasswordElementID.rawValue)
// if it's a POST let's see what we're posting...
if navigationAction.request.httpMethod == "POST" {
if let customURL = customURL as? String, let customPasswordElementID = customPasswordElementID as? String , navigationAction.request.url?.host == customURL {
TCSLogWithMark(customURL.sanitized())

let javaScript = "document.getElementById('\(customPasswordElementID.sanitized())').value"
webView.evaluateJavaScript(javaScript, completionHandler: { response, error in
if let rawPass = response as? String {
self.password=rawPass
}
else {
TCSLogWithMark("No password found")
return
}
})

}

// Azure snarfing
TCSLogWithMark("Azure")
if navigationAction.request.url?.host == "login.microsoftonline.com" {
else if navigationAction.request.url?.host == "login.microsoftonline.com" {
TCSLogWithMark("Azure")

var javaScript = "document.getElementById('i0118').value"
///passwordInput
webView.evaluateJavaScript(javaScript, completionHandler: { response, error in
if let rawPass = response as? String {
self.password=rawPass
}
else {
TCSLogWithMark("No password found")

}
})

javaScript = "document.getElementById('confirmNewPassword').value"
webView.evaluateJavaScript(javaScript, completionHandler: { response, error in
if let rawPass = response as? String {
self.password=rawPass
}
else {
TCSLogWithMark("No confirmNewPassword found")
}
})
} else if navigationAction.request.url?.host == "accounts.google.com" {
// Google snarfing
Expand All @@ -112,6 +141,11 @@ extension WebViewController: WKNavigationDelegate {
if let rawPass = response as? String {
self.password=rawPass
}
else {
TCSLogWithMark("No password found")

}


})
} else if navigationAction.request.url?.path.contains("verify") ?? false {
Expand All @@ -122,50 +156,17 @@ extension WebViewController: WKNavigationDelegate {
webView.evaluateJavaScript(javaScript, completionHandler: { response, error in
})
}
else {
TCSLogWithMark("Unknown Provider")
TCSLogWithMark(navigationAction.request.url?.path ?? "<<URL EMPTY>>")
}
} else if navigationAction.request.httpMethod == "GET" && navigationAction.request.url?.path.contains("token/redirect") ?? false {
// for Okta
let javaScript = "document.getElementById('input74').value"
webView.evaluateJavaScript(javaScript, completionHandler: { response, error in
// if let rawPass = response as? String {
// let alert = NSAlert.init()
// alert.messageText = "Your password is: \(rawPass)"
// RunLoop.main.perform {
// alert.runModal()
// }
// }
})
}

// this is cleaner, but only works with Azure

/*
if navigationAction.request.httpMethod == "POST" {
if let bodyData = navigationAction.request.httpBody,
let bodyString = String(data: bodyData, encoding: .utf8) {
if let queryDict = queryToDict(query: bodyString) {
var cleanedDict = [String:String]()
for queryPair in queryDict {
if let valueClean = queryPair.value.removingPercentEncoding,
let noB64 = Data(base64Encoded: valueClean),
let noB64String = String(data: noB64, encoding: .utf8) {
cleanedDict[queryPair.key] = noB64String
} else {
cleanedDict[queryPair.key] = queryPair.value
}
}
if let password = cleanedDict["passwd"] {
print("Password is.... \(password)")
let alert = NSAlert()
alert.messageText = "Your password is: \(password.removingPercentEncoding ?? "Unkown")"
alert.runModal()
}
}
}
}
*/

decisionHandler(.allow)
}

Expand Down Expand Up @@ -239,6 +240,32 @@ extension WebViewController: OIDCLiteDelegate {
)

}
else {
TCSLogWithMark("no password!")
NotificationCenter.default.post(name: Notification.Name("TCSTokensUpdated"), object: self, userInfo:[:])

}
}
}
}
extension String {
func sanitized() -> String {
// see for ressoning on charachrer sets https://superuser.com/a/358861
let invalidCharacters = CharacterSet(charactersIn: "\\/:*?\"<>| ")
.union(.newlines)
.union(.illegalCharacters)
.union(.controlCharacters)

return self
.components(separatedBy: invalidCharacters)
.joined(separator: "")
}

mutating func sanitize() -> Void {
self = self.sanitized()
}




}
12 changes: 6 additions & 6 deletions xCreds.xcodeproj/project.pbxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -856,7 +856,7 @@
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
CURRENT_PROJECT_VERSION = 3003;
CURRENT_PROJECT_VERSION = 3005;
DEFINES_MODULE = YES;
DEVELOPMENT_TEAM = UXP6YEHSPW;
GENERATE_INFOPLIST_FILE = YES;
Expand Down Expand Up @@ -886,7 +886,7 @@
CLANG_ENABLE_MODULES = YES;
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
CURRENT_PROJECT_VERSION = 3003;
CURRENT_PROJECT_VERSION = 3005;
DEFINES_MODULE = YES;
DEVELOPMENT_TEAM = UXP6YEHSPW;
GENERATE_INFOPLIST_FILE = YES;
Expand Down Expand Up @@ -944,7 +944,7 @@
CODE_SIGN_ENTITLEMENTS = "XCreds Login Overlay/XCreds_Login_Overlay.entitlements";
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
CURRENT_PROJECT_VERSION = 3003;
CURRENT_PROJECT_VERSION = 3005;
DEVELOPMENT_TEAM = UXP6YEHSPW;
ENABLE_HARDENED_RUNTIME = YES;
GENERATE_INFOPLIST_FILE = YES;
Expand Down Expand Up @@ -974,7 +974,7 @@
CODE_SIGN_ENTITLEMENTS = "XCreds Login Overlay/XCreds_Login_Overlay.entitlements";
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
CURRENT_PROJECT_VERSION = 3003;
CURRENT_PROJECT_VERSION = 3005;
DEVELOPMENT_TEAM = UXP6YEHSPW;
ENABLE_HARDENED_RUNTIME = YES;
GENERATE_INFOPLIST_FILE = YES;
Expand Down Expand Up @@ -1117,7 +1117,7 @@
CODE_SIGN_ENTITLEMENTS = XCreds/xCreds.entitlements;
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
CURRENT_PROJECT_VERSION = 3003;
CURRENT_PROJECT_VERSION = 3005;
DEVELOPMENT_TEAM = UXP6YEHSPW;
ENABLE_HARDENED_RUNTIME = YES;
GENERATE_INFOPLIST_FILE = YES;
Expand Down Expand Up @@ -1146,7 +1146,7 @@
CODE_SIGN_ENTITLEMENTS = XCreds/xCreds.entitlements;
CODE_SIGN_STYLE = Automatic;
COMBINE_HIDPI_IMAGES = YES;
CURRENT_PROJECT_VERSION = 3003;
CURRENT_PROJECT_VERSION = 3005;
DEVELOPMENT_TEAM = UXP6YEHSPW;
ENABLE_HARDENED_RUNTIME = YES;
GENERATE_INFOPLIST_FILE = YES;
Expand Down
Binary file modified ...deproj/project.xcworkspace/xcuserdata/tperfitt.xcuserdatad/UserInterfaceState.xcuserstate
View file
Binary file not shown.
96 changes: 96 additions & 0 deletions xCreds.xcodeproj/xcuserdata/tperfitt.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,5 +20,101 @@
landmarkType = "7">
</BreakpointContent>
</BreakpointProxy>
<BreakpointProxy
BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
<BreakpointContent
uuid = "79C15A0F-CCC7-4449-AA5C-92380CA8F819"
shouldBeEnabled = "No"
ignoreCount = "0"
continueAfterRunningActions = "No"
filePath = "XCreds/WebView.swift"
startingColumnNumber = "9223372036854775807"
endingColumnNumber = "9223372036854775807"
startingLineNumber = "95"
endingLineNumber = "95"
landmarkName = "webView(_:decidePolicyFor:decisionHandler:)"
landmarkType = "7">
</BreakpointContent>
</BreakpointProxy>
<BreakpointProxy
BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
<BreakpointContent
uuid = "B88CA37E-38F0-49EE-A5F5-799B4D0FE457"
shouldBeEnabled = "No"
ignoreCount = "0"
continueAfterRunningActions = "No"
filePath = "XCreds/WebView.swift"
startingColumnNumber = "9223372036854775807"
endingColumnNumber = "9223372036854775807"
startingLineNumber = "100"
endingLineNumber = "100"
landmarkName = "webView(_:decidePolicyFor:decisionHandler:)"
landmarkType = "7">
</BreakpointContent>
</BreakpointProxy>
<BreakpointProxy
BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
<BreakpointContent
uuid = "47F510FF-C2ED-4306-B622-A99868F59A8A"
shouldBeEnabled = "No"
ignoreCount = "0"
continueAfterRunningActions = "No"
filePath = "XCreds/WebView.swift"
startingColumnNumber = "9223372036854775807"
endingColumnNumber = "9223372036854775807"
startingLineNumber = "104"
endingLineNumber = "104"
landmarkName = "webView(_:decidePolicyFor:decisionHandler:)"
landmarkType = "7">
</BreakpointContent>
</BreakpointProxy>
<BreakpointProxy
BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
<BreakpointContent
uuid = "FA01570D-9F3B-454F-9947-61274C6655A5"
shouldBeEnabled = "No"
ignoreCount = "0"
continueAfterRunningActions = "No"
filePath = "XCreds/WebView.swift"
startingColumnNumber = "9223372036854775807"
endingColumnNumber = "9223372036854775807"
startingLineNumber = "105"
endingLineNumber = "105"
landmarkName = "webView(_:decidePolicyFor:decisionHandler:)"
landmarkType = "7">
</BreakpointContent>
</BreakpointProxy>
<BreakpointProxy
BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
<BreakpointContent
uuid = "20B19149-C518-45A4-A13C-7DA5C9DF65D5"
shouldBeEnabled = "Yes"
ignoreCount = "0"
continueAfterRunningActions = "No"
filePath = "XCreds/MainController.swift"
startingColumnNumber = "9223372036854775807"
endingColumnNumber = "9223372036854775807"
startingLineNumber = "34"
endingLineNumber = "34"
landmarkName = "run()"
landmarkType = "7">
</BreakpointContent>
</BreakpointProxy>
<BreakpointProxy
BreakpointExtensionID = "Xcode.Breakpoint.FileBreakpoint">
<BreakpointContent
uuid = "CCDE5AFE-A1BE-4ED4-85D1-FEA29F5ABD61"
shouldBeEnabled = "Yes"
ignoreCount = "0"
continueAfterRunningActions = "No"
filePath = "XCreds/MainController.swift"
startingColumnNumber = "9223372036854775807"
endingColumnNumber = "9223372036854775807"
startingLineNumber = "42"
endingLineNumber = "42"
landmarkName = "run()"
landmarkType = "7">
</BreakpointContent>
</BreakpointProxy>
</Breakpoints>
</Bucket>

0 comments on commit 9d1dada

Please sign in to comment.