Form Fields Fingerprint

Background

The Form Fields Fingerprint is not to be used as a unique identifier of devices like other fingerprints presented on this site. It's main purpose is to detect miscreants injecting extra form fields into your site. Malware such as SpyEye, Zues, Ice IX and others are capable of injecting additional form fields into your site, with the purpose of stealing data from your clients. By taking a snap shot of what form fields the user sees, you can determine if any of your clients are infected.


How It Works

The javascript code is straight forward but a little more complex than some other examples on this site. The function below first queries all the form elements, and then walks each form enumerating any input field. The result is then returned with the form name and the fields that a user can input data into.


Entropy Estimate: N/A


Code

The javascript function below enumerates all forms and form fields. 

Source Code

function fingerprint_formfields() {

    "use strict";

    var i, j, numOfForms, numOfInputs, strFormsInPage, strFormsInputsData, strInputsInForm, strTmp, strOut;

 

    i = 0;

    j = 0;

    numOfForms = 0;

    numOfInputs = 0;

    strFormsInPage = "";

    strFormsInputsData = [];

    strInputsInForm = "";

    strTmp = "";

    strOut = "";

 

    strFormsInPage = document.getElementsByTagName('form');

    numOfForms = strFormsInPage.length;

    strFormsInputsData.push("url=" + window.location.href);

    for (i = 0; i < numOfForms; i = i + 1) {

        strFormsInputsData.push("FORM=" + strFormsInPage[i].name);

        strInputsInForm = strFormsInPage[i].getElementsByTagName('input');

        numOfInputs = strInputsInForm.length;

        for (j = 0; j < numOfInputs; j = j + 1) {

            if (strInputsInForm[j].type !== "hidden") {

                strFormsInputsData.push("Input=" + strInputsInForm[j].name);

            }

        }

    }

    strTmp = strFormsInputsData.join("|");

    strOut = strTmp;

    return strOut;

}

Validation

Unlike other code on the Internet we do everything possible to verify our code for you. In order to minimize problems and maximize compatibility this code has been verified with JSLint and has been extensively tested with over 1100 OS/Browser combinations using BrowserStack.


Reference

Meet Ice IX, Son of Zeus (Aug 28, 2011). In Internet Security. Retrieved September 09, 2017, from http://www.internetsecuritydb.com/2011/08/meet-ice-ix-son-of-zeus.html


VB2014 paper: Protecting financial institutions from man-in-the-browser attacks (Jan 01, 2016). In Virus Bulletin. Retrieved September 09, 2017, from https://www.virusbulletin.com/virusbulletin/2016/01/paper-protecting-financial-institutions-man-browser-attacks/