Sniffing out passwords on Web sites

Web sites that allow users to log on without using the Secure
Sockets Layer protocol are notoriously unsecure. Most take only the
most basic measures to hide a user's name and password as
they are passed from the Web browser to the server, specifically by
encoding the information in Base 64.

In a SANS Institute class for advanced Web security
vulnerabilities, instructor Kevin Johnson showed how easy it is to
compromise sites.

To see the vulnerability in action, all you need is the Firefox
browser, a free add-on called SwitchProxy that can detour traffic
from that browser through another program and a third program that
can decode network packets from Base 64.

First, using Firefox, download and install the SwitchProxy
add-in ( This program will place a toolbar
on the Firefox browser that lets you direct traffic through a

For a scanner, you can download and install Paros, a free
combination Java-based proxy and packet scanner (, Quickfind
1084). Windows users can start Paros from the icon placed in the
menu during installation. Linux users can execute the program from
the command line using a Java command.

1. On the SwitchProxy, click on the Add Proxy tab. Here you can
route all network packets going to or from that browser to Paros by
clicking on the Add button and filling in 'localhost'
and '8080' in the first HTTP Proxy and Port fields,
respectively. Name the new proxy 'Paros' and click the
OK button.

2. On the SwitchProxy toolbar, set the proxy to Paros and click

Start Paros, and start browsing on Firefox. You will notice that
Paros is already collecting all the packets sent to Port 8080 on
your computer.

3. Find a Web site that requires a log-in but does not use SSL.
These sites' addresses do not have the https prefix. Enter
the name and password. After hitting Enter, look in Paros for the
POST request in the bottom pane. In the top right-hand corner, you
will see the packet sent from the browser.

4. The browser has appended the name and password supplied by the
user ' in this case, TestUser and HelloThere ' to the
Web address and sent them to the server. Other than being in Base
64, the password is unencrypted.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected