Contents of clipboard

All Forums >> [Web Development] >> ASP and Database

Message

SerenityNet -> Contents of clipboard (2/11/2005 7:55:37)
How do I grab the contents of a visitor's clipboard and display it in a textarea? Andrew

rdouglass -> RE: Contents of clipboard (2/11/2005 10:01:01)

This help any?

<form name="myForm" method="POST" action="--WEBBOT-SELF--">
<textarea name="myField"></textarea>
<input type="submit" value="Submit" name="B1"><input type="reset" value="Reset" name="B2">
</form>

<script language="javascript">
  var content = clipboardData.getData("Text");
  document.forms["myForm"].elements["myField"].value = content;
</script>

dpf -> RE: Contents of clipboard (2/11/2005 10:15:51)
and this would require the users cooperation - I was hoping the answer wouldnt be that a site could just reach into my clipboard and grab it - can it?

rdouglass -> RE: Contents of clipboard (2/11/2005 10:28:09)
quote: and this would require the users cooperation - I was hoping the answer wouldnt be that a site could just reach into my clipboard and grab it - can it? Actually it can grab (and this script does) without your intervention. Do you want to see it?[;)] Put it on a page and try it out. I can put similar code with a hidden form and send your clipboard to a CGI (or whatever) without you even knowing it unless you have JavaScript turned off.[:o][:o]

BeTheBall -> RE: Contents of clipboard (2/11/2005 10:36:53)
Yikes! Tested it and it works as advertised. I guess copying and pasting one's credit card number would be a really, really bad idea, which I think I may have done once or twice. [:o]

dpf -> RE: Contents of clipboard (2/11/2005 10:47:17)
quote: Actually it can grab (and this script does) without your intervention rdouglas: I can see that : var content = clipboardData.getData("Text"); document.forms["myForm"].elements["myField"].value = content;... puts my clickboard results into the textarea but..... it still requires me to click the submit button - doesnt it?????? that was what i meant by cooperation... omg wait - you mean you could put that ina hidden field and i would innocently complete other fields and hit submit - right???

rdouglass -> RE: Contents of clipboard (2/11/2005 11:50:41)
quote: it still requires me to click the submit button - doesnt it?????? that was what i meant by cooperation... omg wait - you mean you could put that ina hidden field and i would innocently complete other fields and hit submit - right??? No it doesn't. [:o][:'(] You don't even have to click ANYTHING? Try this. 1. Put some text on your clipboard. 2. Go to this page and it will email me the contents of your clipboard without you knowing it. (You need JavaScript turned on.) Once I recieve the email, I'll post the result here (as long as it's PG-13 or better [;)]) And No, I will NOT, absolutely NOT, post exactly how I did it. [;)] This is definitely an exploit but it's relatively easy to figure out.

dpf -> RE: Contents of clipboard (2/11/2005 12:04:29)
quote: And No, I will NOT, absolutely NOT, post exactly how I did it. This is definitely an exploit but it's relatively easy to figure out. I certainly respect that! However, you know that it will drive me crazy all day ( and I doubt that "easy" are the same for you and me..lol) when you said go to "this page" ..do you mean this post page we are on? that totally baffles me - wow

rdouglass -> RE: Contents of clipboard (2/11/2005 13:04:36)
quote: when you said go to "this page" OOPS! Never posted the link...[:o] http://www.clarkinsurance.com/1.asp I'd be curious also as to if any browsers reject this exploit. Remember: Gotta' have JavaScript on....

rdouglass -> RE: Contents of clipboard (2/11/2005 13:27:43)
Whoever just tried it, remember you need text on the clipboard for this particular test. I could build it for anything but I just did this one for text..... The script thought the clipboard was empty if you're interested.

dzirkelb1 -> RE: Contents of clipboard (2/11/2005 13:53:10)
That is definately, extremely scary...especially that the page is an insurance page!! Imagine some rogue hacker out there placing some sort of redirect scheme on a page that google picks up....like, someone rigging it so they search for visa or something, the first result is the hacker page that makes it look like it goes to visa.com or something (and it does after it copies your clipboard and sends them an email with the contents) Yeek!

rdouglass -> RE: Contents of clipboard (2/11/2005 13:55:57)
A post for proof. I think I'll turn that link off now....[8\|][;)] 'requires me to click the submit'

dpf -> RE: Contents of clipboard (2/11/2005 13:57:21)
quote: rogue well now that you mention it - look at rdouglass' hair - if that isnt rogueish, I am the Queen of Scotland

rdouglass -> RE: Contents of clipboard (2/11/2005 14:06:03)
Define "rogue". Do you mean "non-conforming"? Well, then "Yes."[;)] ...and that is not my real hair; mine's messier![:D]

dpf -> RE: Contents of clipboard (2/11/2005 14:07:44)
quote: Define "rogue". I could omit the g and you would be a roue..lol

rdouglass -> RE: Contents of clipboard (2/11/2005 14:21:21)
2 more clipboard contents: 1. Roger: this is dan fitzgerald from outfront - dpf 2. for you and me..lol) when Unless someone objects, I'm now removing it from action.

SerenityNet -> RE: Contents of clipboard (2/11/2005 14:31:45)
Thanks Roger. This is exactly what I was looking to find. I ran across the capability a couple of months ago on some security site. Obvioulsy I immediately quit copying and pasting my passwords and such sensitive information, and I close my browser between sites. I don't recall the site right now, but I'll look it up and post it when I get home tonight. The reason I asked the question is that I'm slowly building a tool that displays the page's "environment". It reports on active session variables, server variables, server e-mail components installed, the user's IP, the user's geographical location, http header, referring page, URL's visited during session, and (of course) user's clipboard contents. I started the tool, just wanting to get variables, but then it just kind of grew to "what kind of information can I pull about the site and user?" Thanks again. Andrew

SerenityNet -> RE: Contents of clipboard (2/11/2005 20:06:02)
Here you go... Examples of information that can be pulled from your sessions... ZoneAlarm

jeepless -> RE: Contents of clipboard (2/12/2005 9:26:59)
quote: Whoever just tried it, remember you need text on the clipboard for this particular test. I could build it for anything but I just did this one for text..... The script thought the clipboard was empty if you're interested. rdouglas: That may have been me trying out your "1.asp" page to see if it could read the contents of my clipboard. I went to your page right after you posted the link and I did have some text copied to the clipboard. However I later went to the "ZoneAlarm" pivacy test page posted by SerenityNet and it reported that I was *"not vulnerable against this threat"*. So it would appear that Zone Alarm (which I run on all my machines) is effective at blocking the exploit you used. I guess that's why you didn't get my clipboard contents if I was indeed the one you were reporting on. Nontheless, your code was a very enlightening example of what can be grabbed from a user when simply browsing a web page. In fact it's a bit scary....

Page: [1]

0.078125