Sniffing out passwords on Web sites

Web sites that allow users to log on without using the Secure
Sockets Layer protocol are notoriously unsecure. Most take only the
most basic measures to hide a user's name and password as
they are passed from the Web browser to the server, specifically by
encoding the information in Base 64.

In a SANS Institute class for advanced Web security
vulnerabilities, instructor Kevin Johnson showed how easy it is to
compromise sites.

To see the vulnerability in action, all you need is the Firefox
browser, a free add-on called SwitchProxy that can detour traffic
from that browser through another program and a third program that
can decode network packets from Base 64.

First, using Firefox, download and install the SwitchProxy
add-in ( This program will place a toolbar
on the Firefox browser that lets you direct traffic through a

For a scanner, you can download and install Paros, a free
combination Java-based proxy and packet scanner (, Quickfind
1084). Windows users can start Paros from the icon placed in the
menu during installation. Linux users can execute the program from
the command line using a Java command.

1. On the SwitchProxy, click on the Add Proxy tab. Here you can
route all network packets going to or from that browser to Paros by
clicking on the Add button and filling in 'localhost'
and '8080' in the first HTTP Proxy and Port fields,
respectively. Name the new proxy 'Paros' and click the
OK button.

2. On the SwitchProxy toolbar, set the proxy to Paros and click

Start Paros, and start browsing on Firefox. You will notice that
Paros is already collecting all the packets sent to Port 8080 on
your computer.

3. Find a Web site that requires a log-in but does not use SSL.
These sites' addresses do not have the https prefix. Enter
the name and password. After hitting Enter, look in Paros for the
POST request in the bottom pane. In the top right-hand corner, you
will see the packet sent from the browser.

4. The browser has appended the name and password supplied by the
user ' in this case, TestUser and HelloThere ' to the
Web address and sent them to the server. Other than being in Base
64, the password is unencrypted.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.


  • Pierce County

    CARES dashboard ensures county spending delivers results

    The CARES Act Funding Outcomes Dashboard helps Pierce County, Wash., monitor funding and key performance indicators for public health emergency response, economic stabilization and recovery, community response and resilience, and essential government services.

  • smart city challenge

    AI-based traffic management improves mobility, saves fuel, cuts pollution

    Researchers are developing a dynamic feedback traffic signal control system that reduces corridor-level fuel consumption by 20% while maintaining a safe and efficient transportation environment.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.