This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why no Post messages captured in unsecured web page?

0

I am posting username and password in a not secured web page (no https).

While logging in to the my account I am using WireShark to try capturing my Post details. The result is that no Post message is captured.

Why is that?

(no ssl\tsl messages captured as expected - the site is not secured as I mentioned, but many tcp transportation on port 80)

asked 19 Aug '13, 23:44

itay_user's gravatar image

itay_user
1223
accept rate: 0%

edited 19 Aug '13, 23:45


One Answer:

0

The result is that no Post message is captured. Why is that?

There are several possible reasons

  1. There are no POST requests, if/because the site uses GET requests
  2. You used a capture filter for the IP address of the web server, but the authentication is targeted to a different IP (authentication server)
  3. Additionally to 2. the POST requests could be encrypted
  4. There are POST requests, but you did not see them (wrong display filter)

So, please check the following

  • If there was a capture filter in place (IP based), please remove that filter for a test
  • Then use this display filter: http.request.method eq POST

If you don't see any POST requests, please consider 1. and 2. of the list above. You could then just search for the username in the capture file.

Edit -> Find Packet -> String

Enter your username and let Wireshark search for that string in the whole file. As soon as it finds the packet, right click it and select "Follow TCP Stream". If Wireshark does not find the string it is either not in the capture file or the communication is encrypted.

BTW: If the server is a public server, please post the URL, so we can test it ourselves.

Regards
Kurt

answered 20 Aug '13, 01:27

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

  1. I did not use any filter
  2. There is a packet with my user name but no packet with password.
  3. If the Post was encrypted I would have seen it as ssl\tls, wont I?
  4. With 1,2,3, If the log in process does not use Post, how can I see my password then?
(20 Aug '13, 02:00) itay_user
(20 Aug '13, 02:13) itay_user

There is a packet with my user name but no packet with password.

Maybe the password is scrambled by javascript in the browser.

If the Post was encrypted I would have seen it as ssl\tls, wont I?

Only, if the traffic uses the standard https port (443).

With 1,2,3, If the log in process does not use POST,

If you follow the tcp stream that contains you username, what HTTP method is used there? GET or POST?

how can I see my password then?

Well, that depends on internals of that site. If it uses javascript to scramble the password, you won't see it in cleartext in Wireshark. In that case the usual Browser Developer Tools will help.

(20 Aug '13, 02:14) Kurt Knochner ♦

http://newmail.walla.co.il/

No response from my location. Seems to be down right now.

(20 Aug '13, 02:16) Kurt Knochner ♦

I checked and saw that there are 5 Get packets from me to the server containing my username. So, you think that it all comes down to your last phrase? (the java script thing) If I'm right, then could you post here a guide for that?

(20 Aug '13, 02:53) itay_user

So, you think that it all comes to your last phrase? (the java script thing)

maybe. I can't check as the site does not react when I try to access it.

(20 Aug '13, 02:54) Kurt Knochner ♦

It's up now.

(20 Aug '13, 03:01) itay_user

well, if I do a test authentication, the whole traffic goes to friends.walla.co.il and is encrypted (TLSv1). So, that's the reason why you don't see the password. The main site does not use encryption, but the authentication form (together with javascript) uses SSL/TLS encryption.

(20 Aug '13, 05:24) Kurt Knochner ♦

could you please add more explanation? how does this process work? if the traffic goes from my computer to the unsecured server and from there to another one(secured), I should be able to see this traffic at the part of between my computer and the first server, no?

(21 Aug '13, 01:15) itay_user

how does this process work?

Well, that depends on the internal workings of that site. The best I can say: Please look at the HTML/Javascript code and learn more about web application design, especially about user authentication and session management ;-).

if the traffic goes from my computer to the unsecured server and from there to another one(secured)

It is not that way. Your client loads the unsecured page. In the HTML/Javascript code there is 'link' to the secured page. So as soon as you submit the form, the form content will be sent to the secured server (done by your client). There may also be communication between the secured server and the unsecured server, however it is impossible to see that on your client.

I should be able to see this traffic at the part of between my computer and the first server, no?

You will see the traffic between the unsecured and the secured server on your client, if you use the right capture filter (all IP addresses of both servers) or no filter at all.

(21 Aug '13, 03:10) Kurt Knochner ♦
showing 5 of 10 show 5 more comments