Is my form password being passed in clear text?

2019-04-25 01:04发布

This is what my browser sent, when logging into some site:

POST http://www.some.site/login.php HTTP/1.0
User-Agent: Opera/8.26 (X2000; Linux i686; Z; en)
Host: www.some.site
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://www.some.site/
Proxy-Connection: close
Content-Length: 123
Content-Type: application/x-www-form-urlencoded

lots_of_stuff=here&e2ad811=my_login_name&e327696=my_password&lots_of_stuff=here

Can I state that anyone can sniff my login name and password for that site? Maybe just on my LAN?
If so (even only on LAN ) then I'm shocked. I thought using

<input type="password">

did something more than make all characters look like ' * '

p.s. If it matters I played with netcat (on linux) and made connection
browser <=> netcat (loged here) <=> proxy <=> remote_site

5条回答
家丑人穷心不美
2楼-- · 2019-04-25 01:24

Every data sent trought a http connection can be seen by someone in your route to the server (man in the middle attack).

type="password" only hides the character on-screen, and even other programs on your computer can read the data.

The only way to protect the data is to send it trought SSL (HTTPS instead of HTTP)

查看更多
贼婆χ
3楼-- · 2019-04-25 01:31

Contents of a POST body are visible, i.e., "in the clear," if transported on a non-encrypted channel. If you wish to protect the HTTP body from being sniffed, you should do so over a secure channel, via HTTPS.

查看更多
Viruses.
4楼-- · 2019-04-25 01:32

You can either encrypt the HTTP connection via HTTPS, or there are MD5 and other hashing algorithms implemented in JavaScript that can be used client side to hash the password client side before sending it, hence stopping a sniffer being able to read your password.

查看更多
Root(大扎)
5楼-- · 2019-04-25 01:35

type="password" only hides the character on-screen. If you want to stop sniffing, you need to encrypt the connection (i.e. HTTPS).

查看更多
疯言疯语
6楼-- · 2019-04-25 01:35

Yes, your credentials are passed in cleartext, anyone who can hear your network traffic can sniff them.

查看更多
登录 后发表回答