Uncategorized, Web Attacks

When performing a penetration test on applications on the web especially in form fields that deal with password functions e.g. Database configuration forms , User Listing pages, you may want to know whether it echoes back the password in plain text which is usually a bad practice.

It is particularly useful in mass revealing of the contents of these fields especially on bulky pages.

Users not familiar with firebug or Developer extension on chrome or firefox may also find this quite handy as it does the work under the hood for you and you get the accurate results.

Only enable the extension when need be, as a regular user you also do not want people shoulder surfing to see the passwords you type into form fields when you are not doing security tests.

Download the extension from here:

To learn how to install manually on chrome:

For Firefox Users:

A successful install is as below:


From here as long as its enabled just visit the URL you want to view and password fields will be unmasked. Incase of bugs or problems please feel free to revert to me on the same. See it in action Below, this takes a social engineering perspective to using the extension where you want to see how aware a user is , if they don’t realize the exposure when typing then there is a problem with the human firewall, the attacker would shoulder surf as the person types to see if they noticed unusual changes in their browser activity:

Facebook Password unmasked on mouse focus

Facebook Password unmasked on mouse focus

Leave a Reply

Your email address will not be published. Required fields are marked *

September 2023