Sniffing out passwords on Web sites

Web sites that allow users to log on without using the Secure
Sockets Layer protocol are notoriously unsecure. Most take only the
most basic measures to hide a user's name and password as
they are passed from the Web browser to the server, specifically by
encoding the information in Base 64.


In a SANS Institute class for advanced Web security
vulnerabilities, instructor Kevin Johnson showed how easy it is to
compromise sites.


To see the vulnerability in action, all you need is the Firefox
browser, a free add-on called SwitchProxy that can detour traffic
from that browser through another program and a third program that
can decode network packets from Base 64.


First, using Firefox, download and install the SwitchProxy
add-in (GCN.com/1085). This program will place a toolbar
on the Firefox browser that lets you direct traffic through a
proxy.


For a scanner, you can download and install Paros, a free
combination Java-based proxy and packet scanner (GCN.com, Quickfind
1084). Windows users can start Paros from the icon placed in the
menu during installation. Linux users can execute the program from
the command line using a Java command.


1. On the SwitchProxy, click on the Add Proxy tab. Here you can
route all network packets going to or from that browser to Paros by
clicking on the Add button and filling in 'localhost'
and '8080' in the first HTTP Proxy and Port fields,
respectively. Name the new proxy 'Paros' and click the
OK button.


2. On the SwitchProxy toolbar, set the proxy to Paros and click
Apply.


Start Paros, and start browsing on Firefox. You will notice that
Paros is already collecting all the packets sent to Port 8080 on
your computer.


3. Find a Web site that requires a log-in but does not use SSL.
These sites' addresses do not have the https prefix. Enter
the name and password. After hitting Enter, look in Paros for the
POST request in the bottom pane. In the top right-hand corner, you
will see the packet sent from the browser.


4. The browser has appended the name and password supplied by the
user ' in this case, TestUser and HelloThere ' to the
Web address and sent them to the server. Other than being in Base
64, the password is unencrypted.


Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above