Sniffing out passwords on Web sites -- Government Computer News

Sniffing out passwords on Web sites

By Joab Jackson
Jun 06, 2008

Related Links

Tools for the attacker, tools for the defender

Web sites that allow users to log on without using the Secure
Sockets Layer protocol are notoriously unsecure. Most take only the
most basic measures to hide a user's name and password as
they are passed from the Web browser to the server, specifically by
encoding the information in Base 64.

In a SANS Institute class for advanced Web security
vulnerabilities, instructor Kevin Johnson showed how easy it is to
compromise sites.

To see the vulnerability in action, all you need is the Firefox
browser, a free add-on called SwitchProxy that can detour traffic
from that browser through another program and a third program that
can decode network packets from Base 64.

First, using Firefox, download and install the SwitchProxy
add-in (GCN.com/1085). This program will place a toolbar
on the Firefox browser that lets you direct traffic through a
proxy.

For a scanner, you can download and install Paros, a free
combination Java-based proxy and packet scanner (GCN.com, Quickfind
1084). Windows users can start Paros from the icon placed in the
menu during installation. Linux users can execute the program from
the command line using a Java command.

1. On the SwitchProxy, click on the Add Proxy tab. Here you can
route all network packets going to or from that browser to Paros by
clicking on the Add button and filling in 'localhost'
and '8080' in the first HTTP Proxy and Port fields,
respectively. Name the new proxy 'Paros' and click the
OK button.

2. On the SwitchProxy toolbar, set the proxy to Paros and click
Apply.

Start Paros, and start browsing on Firefox. You will notice that
Paros is already collecting all the packets sent to Port 8080 on
your computer.

3. Find a Web site that requires a log-in but does not use SSL.
These sites' addresses do not have the https prefix. Enter
the name and password. After hitting Enter, look in Paros for the
POST request in the bottom pane. In the top right-hand corner, you
will see the packet sent from the browser.

4. The browser has appended the name and password supplied by the
user ' in this case, TestUser and HelloThere ' to the
Web address and sent them to the server. Other than being in Base
64, the password is unencrypted.

Entity resolution helps FBI's N-Dex system connect the dots10/12/2009
Has secure software development reached its limits?11/04/2009
DARPA to host wild balloon chase11/04/2009
Agiliance adds Privacy Manager to risk and compliance suite09/17/2009
States urged to create data catalogs10/07/2009

Share this Page

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)

Your Email:(optional)

Your Location:(optional)

Comment:

Please type the letters/numbers you see above

Related Webcasts

Related White Papers

More Resources

GCN eNewsletters

eSeminar

Technology success through the stimulus
FCW will present Karen Jackson, deputy secretary of technology for the Commonwealth of Virginia, at 11 a.m. Wed, Dec. 9, in an eSeminar where she will discuss technology acquisition through the stimulus. Read more
Security and Unified Threat Management
GSA: Pick your procurement weapon

Current issue

Tough enough for government
The GCN Lab puts a variety of rugged devices through the wringer. Read more
CAIMR takes on the many facets of identity management
Service agencies conjure their own clouds
Social-media tools are fine, but beware their playground rules

What is your e-mail address?

Do you have a password?

HOT TOPICS

Resource Center