Intercepting HTTP request
Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: General Discussion
Forum Description: General discussion and chat on any topic.
URL: https://forums.webwiz.net/forum_posts.asp?TID=23013
Printed Date: 29 March 2026 at 6:49pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Intercepting HTTP request
Posted By: Gullanian
Subject: Intercepting HTTP request
Date Posted: 29 March 2007 at 11:54pm
|
I found a website that deals with users finances. It links to their bank accounts and credit cards. Upon registering, they have a registration confirmation page, that displays your password and username you entered in plain text over a plain HTTP connection. If someone were aware of this website, how easy would it be for them (if they had access to the necessary equipment) to write some software to catch any of these pages? Is it reasonable to assume that this is a fairly major security issue for their website? Or is it probably nothing to worry about at the end of the day? |
Replies:
Posted By: Bluefrog
Date Posted: 30 March 2007 at 2:10am
|
Google for "network sniffer" or "ethereal" or any of the UNIX network admin type thingys. Then get ready to $4!+ your pants in abject horror. It's not that hard if you've got some kind of physical presence somewhere on the network. If you want to write the software, you *could*... But why? There are already very good mature tools to do exactly that, but better than you could. Might be fun to try for educational purposes though. ------------- http://renegademinds.com/" rel="nofollow - Renegade Minds - Guitar Software http://renegademinds.com/Default.aspx?tabid=65" rel="nofollow - Slow Down Music |
Posted By: Gullanian
Date Posted: 30 March 2007 at 8:20pm
|
Hi there Bluefrog! I think you misunderstood my question, I'm not interested in doing it at all, just wondering as to how much of a threat this is to that particular website. Tom |
Posted By: Bluefrog
Date Posted: 01 April 2007 at 1:32am
|
That's a bit of a hard question. The threat really isn't to the site per se, but to the user. It's highly unlikely that anyone could setup anything to really sniff that site, but they could sniff against users much more easily. You can almost be certain that the network admins are using sniffers on the bank site for diagnostics, but they aren't really a risk. The question is then more like, "How easy is it to setup a network sniffer to spy on end-users?" That will depend on the network that they are on, so there's a huge range to deal with. It's much easier to just setup a keylogger on a person's machine then let it do the work. That's almost trivial and you can easily write a keylogger in under a day. If you mean how easy is it to setup a network sniffer to spy on that site, then the answer is, "Really darn hard." For large corporations with big sites and for banking sites, you don't use things like IIS or Apache. iPlanet is still going to be a better platform. You're also going to use better servers running things like Solaris or BSD. In the front you'll have a firewall then a load balancer that uses a private IP address for communicating with the web servers (that are never truly visible to the Internet with a real IP address). So even if you can setup a network sniffer, it's unlikely that you can get any information from it. What you've got to do is to actually own one of the servers so that you can disable the security measures like the firewall, the IDS, etc. But once you've got that done, you've accomplished so much more than just what your network sniffer can do. You've essentially owned a banking server! This is not a trivial task, and would most likely require cooperation from administrators working for the bank, or some really serious homework with serious hardware. The investment there would be massive, and well beyond the means of most 'hackers'. i.e. You need to be able to recreate the environment to do security testing, and things like iPlanet and Solaris hardware are not cheap. And even then, if they're using Solaris, they're likely running zones for security and so even if you hack one zone, you're still sandboxed and unable to access other zones. Again, you need to know configurations for the site, and without massive amounts of work or an insider, you're never going to get anywhere. From the banking site's perspective, they are still very secure. ------------- http://renegademinds.com/" rel="nofollow - Renegade Minds - Guitar Software http://renegademinds.com/Default.aspx?tabid=65" rel="nofollow - Slow Down Music |
Posted By: the boss
Date Posted: 06 April 2007 at 7:21pm
|
any clear text transmitted over network is visible to all nodes on a given subnet. All you need is a sniffer like ethereal
------------- http://www.web2messenger.com/theboss"> 
|