Vulnerable Remember Password

heck List

Methodology

Black Box

Trigger the Passwordless / Remember Me Login

1

Register or log in normally

2

Tick "Remember me", "Stay logged in", or use "Sign in with this device"

3

Complete login → Note you are logged in

4

Open DevTools → Application → Local Storage / Session Storage / IndexedDB

5

Search for password, cred, token, user, email

6

If plain/encoded/base64 credentials found → Credential leak confirmed

7

then go to DevTools → Application → Cookies

8

Look for session cookie with no or very long Expires/Max-Age (1 year, "Session" but never expires)

---

Clickjacking on Auto-Login Page

1

Frame the login/auto-auth page

<iframe src="https://target.com/auto-login" style="opacity:0.1"></iframe>

2

If auto-login triggers in iframe → Clickjacking possible

---

CSRF on Auto-Auth Flow

1

Craft CSRF PoC that visits the auto-login endpoint

<img src="https://target.com/remembered-login-endpoint">

2

If victim visits → Automatically logged in as you → CSRF confirmed

---

White Box

Cheat Sheet