Firefox says "unprotected" but tcpdump does not show PW - password-encryption

When i login to a certain http-website firefox warns against insecure connection.
Than i perform a login while reading the traffic over tcpdump. Theoreticaly i should see my PW as plain text or a hash of it. But it is not there!
Can anyone help me if the PW is really being broadcasted unencrypted on the net?
How to go on testing it?
Thx a lot...

Related

Backspying on spying Website

If you would need to see what Information a Site has on you, based on the Cookie ID that they've stored on your Computer, how exactly would one do that?
You can't.
A cookie is best considered an opaque ticket, passed from the server to the client, for the client to return to the server as a means of storing state, or a reference to server-side persisted state, without the server needing to keep track of it itself.
Granted, some cookies are non-opaque, especially those that are intentionally exposed to Javascript (such as storing client-side preferences), but I'm assuming you're not interested in those.
So there is no way for a HTTP client to peer into a webserver's stored state. That's the point. Otherwise it would be insecure.
Here's a simple demonstration:
[Client] Hi Server. My name is Boris.
[Server] Hi Boris. I have assigned you visitor number 3. I have remembered your name is "Boris" and saved it in my internal database, associated with the number 3. Please refer to yourself as 3 in all future requests.
[Client] Okay, thanks, goodbye.,
(weeks pass)
[Client] Hi Server, remember me? I am visitor 3.
[Server] Yes, hello Boris.
[Client] I am visitor 3. Please remember that my hair is yellow.
[Server] Yes, I have remembered that visitor 3 also has yellow hair.
(weeks pass)
[Client] Hi Server, remember me? I am visitor 3. What color is my hair?
[Server] Your hair is yellow.
(more time passes)
[Client] Hi Server, I am visitor 3. What information do you have stored about me?
[Server] Hi visitor 3. I know your name and your hair color, but I won't tell you because I don't want to. I didn't even have to tell you that I knew those details.
So even though the cookie in this case is merely the number "3", the client has no way of knowing what the server has stored about it.
Unless the site stores things in your cookie, you're probably not able to get much. The cookie often has a userId or sessionId in it that the site uses to look up the information it knows about you. That information is stored in a database that you won't be able to get access to.
Some things you could do:
Open the developer tools in your browser and look at the internet traffic that goes back and forth. You may be able to see some information about yourself there.
Use a tool like Fiddler or BurpSuite to sniff the traffic between your computer and the site in question.
It may be wise to delete your cookies regularly or find a browser plugin like Self-Destructing Cookies if this bothers you.

Port number getting stripped out of URL

I have an django based website that's presented through gunicorn with nginx as reverse proxy. It's on port 81.The relevant portion of the configuration file looks like this:
upstream elearning_server {
server localhost:8000;
}
server {
listen 81;
......
If you go to:
http://webaddress:81
the first time after you log in, it removes the port number and fails to connect to the website. If you then put the port number back into the url it works fine.
Has anyone got any suggestions of what I can try to fix this problem.
What is happening is that your web server, as part of the login process is 'redirecting' your browser to a different web address. The problem is that the web address your browser is being redirected to doesn't exist, because it is being redirected to the wrong web address. When you modify the web address, you are correcting this error.
Obviously the solution is to correct this problem in the code, so you are sent straight to the correct web address without you needing to correct this.
The solution depends on your code. It is worth looking at it with the following in mind.
Is there something like:
return HttpResponseRedirect('http://website/dir/')
in your code somewhere? This would need to be altered to include the port number, i.e
return HttpResponseRedirect('http://website:81/dir/')
Or, even better,
return HttpResponseRedirect('/dir/')
(This will mean that it won't matter what port the server is on, because the redirect is 'relative'. This would be the usual way to code this sort of thing.)
If a quick perusal of the source doesn't cast any light, I would suggest that the next step would be to look in the access logs (and maybe error logs) from the web server, and look for '3xx' type messages, probably '301' and '302' messages, and this may give you some clue as to what is happening, and where in the code.

AJAX response not valid in C++ but Apache

I want to make a server written in C++ to power my game. I learned the basics of sockets and wrote a basic chat program that worked well. Now I want to create an HTTP server like Apache, but only for the AJAX request-response part.
I think just for the beginning i copied one Apache response text, and i sent the exact response with the C++ server program.
The problem that is that the browser (Firefox) connnects to the apache and everything works fine, except all of the requests get a correct response.
But if i send this with the C++ client, then FireBug tells me that the response status is OK (200) but there is no actual response text. (How is this possible?)
This response-text is exactly the same what apache sends. I made a bit-bit comparison and they were the same.
The php file wich is the original response
<?php echo "AS";echo rand(0,9); ?>
And the origional source code:
Socket.h http://pastebin.com/bW9qxtrR
Socket.cpp http://pastebin.com/S3c8RFM7
main.cpp http://pastebin.com/ckExuXsR
index.html http://pastebin.com/mcfEEqPP < this is the requester file.
ajax.js http://pastebin.com/uXJe9hVC
benchmark.js http://pastebin.com/djSYtKg9
jQuery is not needed.
The main.cpp there is lot of trash code like main3 and main4 functions, these do not affect the result.
I know that the response stuff in the C++ code is not really good because the connection closing is not the best; I will fix that later now I want to send a success response first.
the problem:
the index.html is served through apache on port 80. the browser loads it and starting sending requests.
The request file (program) was on another port , on the 8888 port, which already is a different server which dont enables ajax (dont know why) to get the post data. the program can still communicate with remote servers but cant see the response.
after one whole day i tested a lot with the fiddler program , captured the responses, and that method helped me.
I used the fiddler program to capture the the good answer and to capture the bad. They were the same. After this i turned off my socket application, and forced fiddler to auto respond, and the answer from the 'bad' answer still bat. So after that i replaced the bad with the good and nothing happedned. The bad answer with the good text still bad on the :8888 port but the other on the original :80 port was good, but they were absolutly the same and the same program sended it (fiddler) i think there is something missing if the response is not on the same server address (even not the same port).
after this i thought maybe there is a missing header file, or something ike this.
So i configurated apache to listen on the 80 port, loaded in the index.html. after this i shut down the apache server and changed the port to 8888 and i run the ajax requests and i recognized that they are wrong, but they were sent by the apache, and all of the previorus requests (on the same port) were good. so the problem is only with the ajax stuff :D
many thanks to Tony Lee for the Fiddler suggestion.
Actually there is no solution but there is an answer why the problem exists.
I don't know how you're verifying bit-by-bit - if you used fiddler to capture the traffic then this is a mystery.
I'm going to guess the unsent buffered data is lost when you close the socket. See the MSDN article Graceful Shutdown, Linger Options, and Socket Closure. Call shutdown() before you call closesocket() to ensure a clean shutdown.
Not really an answer to your question, but you might find it useful.
Instead of Apache code you can try libevent. It has functions just to make http servers and it probably will be much faster than Apache code.
Check this link. There is some info about building http server with libevent.

Facebook Connect not setting cookies

I'm trying to implement Facebook Connect on a website with .NET MVC using C#.
I've followed the instructions here: http://wiki.developers.facebook.com/index.php/Trying_Out_Facebook_Connect step by step. I can make the login work as in that when I log in through the site I'm also logged into Facebook.
In order to work with this in the server I think I need to access the cookies Facebook is supposed to leave like:
APIKEY_user
APIKEY_session_key
...
as mentioned here http://wiki.developers.facebook.com/index.php/Verifying_The_Signature.
The thing is I'm not getting any of these cookies. I've googled and it seems like I'm the only person with this problem. Any ideas as to what I could be doing wrong ? Has this happened to anyone else ?
The issue was that I was developing locally using localhost.
I resolved the problem by changing the settings for the application to point to a certain web address instead of localhost and changing my hosts file lo point that same web address to 127.0.0.1
from the UI/client-side perspective, always insure you have the correct path indicated for the xd_receiver file in your FB.init() method.
Firecookie is very useful for seeing what Cookies are/aren't being set.

CFMail with catchall email addresses

I can't believe I've never noticed this before, but it seems that CFMail won't send to an email address that isn't explicitly set up on the destination mailserver.
This means that if I'm using 'info#somedomainorother.com' and have that set up to catch all email on the domain, CFMail won't send to 'test#somedomainorother.com'.
This causes a massive amount of problems for me, as I'm using CFMail to send out order confirmations, member activations and all manner of other bits and pieces.
Whatever your views on using catchall addresses, it can't be denied that people do use them So, in any case that a user enters a made-up address into one of my sites, they won't receive their email.
There must, simply MUST be a way around this - can anyone help?
For refernece, the message that appears in the logs when sending to a catchall address is 'Invalid Addresses'.
EDIT: Here's the CFMail syntax I'm using -
<cfmail to="#Arguments.sEmailAddress#" from="#Application.sAppEmailAddress#" subject="Stock reminder confirmation: #Local.qGetProductDetails.sProductName# - #Application.sCompanyName#" type="HTML" server="#Application.sAppEmailServer#" username="#Application.sAppEmailAddress#" password="#Application.sAppEmailPassword#">
Translates into:
<cfmail to="thisisatest#somedomainorother.com" from="application#mydomainname.com" subject="Stock reminder confirmation: Some product - My Company" type="HTML" server="mail.mydomainname.com" username="application#mydomainname.com" password="XXXXXX">
All works fine for info#somedomainorother.com but not for randombunchofcharacters#somedomainorother.com.
Important to note of course, that the catch-all is working correctly in all other respects, test emails from mail clients work perfectly.
Its not ColdFusion that cares about email validity, its the SMTP server. CF only cares about well formed email addresses.
If you initiated a telnet session to your mail server and tried to use the same address, I'm sure it would have the same result.
Debugging tips for SMTP Connectivity:
http://www.talkingtree.com/blog/index.cfm/2004/11/22/debug-smtp
Can I see your CFMAIL tag setup? CFMAIL doesn't care as long as the email address is properly formatted.
Urgh!
Turns out it was an issue with the server. For some reason, catchall email accounts serverwide had stopped working properly. After an email to my hosting provider, it's all working fine with no code changes.
They're somewhat cagey as to what caused the issue, and I was still able to use an email client to send mail out to the addresses...
Thanks for the help in any case. ;)