Chrome warns about compromised data when using form replay
There is a new feature in Chrome that verifies user/password entered in a form against a stolen database record. See https://www.welivesecurity.com/2019/12/12/chrome-warnings-password-stolen/ or https://security.googleblog.com/2019/12/better-password-protections-in-chrome.html for more information.
The form replay feature acts in 2 steps:
- step2: the handler sets the desired data on the fly in the post form
During step1, the data are simply "xxxx", with the same number of x than the injected value length. This value is considered as a stolen password by Chrome, and provokes an annoying warning in the browser.
Computing random value of the same length for every field in the form.