Capturing HTTP traffic with Wireshark

Most of us have to use certain tools when working with large clients or corporations because it works for them and I personally love when it’s web interfaces compared to MS Office documents and exchange servers. Sadly one of them did not run on HTTPS and I brought up a security concern to the administrator.

Luckily they responded quickly and fixed the mistake fairly quickly.

To have my concern accepted I mentioned a scenario (for example a user on a public or WEP only wifi) and demonstrated that I can capture the traffic sent, which is bad because the new system was designed to deal with quite personal data.

aslo_id=new&activity=somegroupid&pers_id=2423456984&unixtime=1423004400&init=myusername&action=upload_log&section1=&personal_data=A_LOT_OF_REALLY_PERSONAL_DATA_HERE_WHICH_SHOULD_NOT_BE_READABLE&generelt=dS�6��BB`�Ls��L^J�E4@|"��W

As you can see from this little snippet, the data were sent as a rather easy to see HTTP packet, if it is a GET value of a request, even the person having access to the router admin page might see what is written there, which is very bad.

The way I captured these packages was by using wireshark, the former ethereal project, running on my local computer. The security angle is, that even if the attacker had no access to your computer, they could still use wireshark on an unencrypted wireless network, to achieve the same goal.

When I first mentioned this I got a question in return:

Would anyone actually do this?

regarding if a user would attempt to access a site that deals with sensitive data over an unecrypted network. My response was, that it didn’t matter, as long as the possibility was there.

There’s a lot of people using the system and you can never predict what an average user would do. It’s kind of the same as omitting a reset password feature in your product, because, well, people can just stop forgetting their passwords, right?

I recommend you try to ensure that all your web apps run https, especially the ones dealing with sensitive data. It’s a matter that ought to hop up your to do list very quickly.

When thinking security, you should not think of what people should do with your system, but what people have the possibility to do. Spending time on the security side of networking, web programming and hosting, you will become very cautious of these things sooner or later, but it probably should be before somebody dumps your database or captures your data.

below you can see what a portion of a package capture file looks like and not exclusively the problematic request. Basically the quickest way to find the problematic parts is to remember what you put in the input fields and search your package capture file for that, in this case.

lM<+��������Linux 3.18.5-1-ARCH-Dumpcap 1.12.3 (Git Rev Unknown from unknown)lDenp3s0    Linux 3.18.5-1-ARCHD�SU����L^J�`�Ls��E�&@@T
��W�yP�������,�
0���0GET /includes/jquery_ajax.php?action=checkUpdating HTTP/1.1
Host: anonymized.host.tld
Connection: keep-alive
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Referer: http://anonymized.host.tld/some-url-path
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en,en-US;q=0.8,de-DE;q=0.6,de;q=0.4,da;q=0.2
Cookie: PHPSESSID=*removed*

�dS����BB`�Ls��L^J�E4�@|10�W
�P�y����<��kB�
�t0��d�S�����`�Ls��L^J�E�@|/+�W
�P�y����<��k3L
�t0��HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 09:29:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 24

status:ready;05/02 09:02�dS��BBL^J�`�Ls��E4&@@V�
��W�yP��<�T��7�
0���tdS�����L^J�`�Ls��E�&@@R�
��W�yP��<�T����
0���tPOST /includes/jquery_ajax.php HTTP/1.1
Host: anonymized.host.tld
Connection: keep-alive
Content-Length: 203
Accept: */*
Origin: http://anonymized.host.tld
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://anonymized.host.tld/some-url-path
Accept-Encoding: gzip, deflate
Accept-Language: en,en-US;q=0.8,de-DE;q=0.6,de;q=0.4,da;q=0.2
Cookie: PHPSESSID=*removed*

aslo_id=new&activity=somegroupid&pers_id=09403123984&unixtime=1423004400&init=myusername&action=upload_log&section1=&personal_data=A_LOT_OF_REALLY_PERSONAL_DATA_HERE_WHICH_SHOULD_NOT_BE_READABLE&generelt=dS�6��BB`�Ls��L^J�E4@|"��W
�P�y�T������9
��0��d�SC����`�Ls��L^J�E�@|!A�W
�P�y�T������=W
��0��HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 09:29:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 4

7207�dSCC��BBL^J�`�Ls��E4&@@V�
��W�yP�������0�
0���d�S������L^J�`�Ls��E�&@@S�
��W�yP�������RU
0�]��GET /includes/jquery_ajax.php?action=checkUpdating HTTP/1.1
Host: anonymized.host.tld
Connection: keep-alive
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36
Referer: http://anonymized.host.tld/index.php?p=54&activity=somegroupid
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en,en-US;q=0.8,de-DE;q=0.6,de;q=0.4,da;q=0.2
Cookie: PHPSESSID=*removed*

�dS]���BB`�Ls��L^J�E4$�@|��W
�P�y�������[6'
��0�]d�S������`�Ls��L^J�E�&G@|�W
�P�y�������[&�
��0�]HTTP/1.1 200 OK
Date: Thu, 05 Feb 2015 09:29:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 24

status:ready;05/02 09:02�dS(���BBL^J�`�Ls��E4&@@V�
��W�yP������+

0����d

Leave a Reply

Your email address will not be published. Required fields are marked *