0

Once I login to my website (a chat room), the URL contains uid=myusername&pass=mypass and it stays there indefinitely, and never goes, even while chatting..

Can a guest sniff what is in my address bar, especially that this is a chat room with many other users. Can a guest use any kind of tools or methods to steal this information? If a guest wants to sniff it, how would he do it(Step-by-step)... I already know that I should change the method to a post, but this is also for my research paper, on how an attacker can find out the address bar of a user even if not on same network. Please help if possible...

Jagex Online
  • 7
  • 6
  • Is it `http` or `https`? – Lemur Apr 04 '13 at 02:58
  • 1
    Send the user a link through chat. If the user follows it, there will be a [referer header](http://en.wikipedia.org/wiki/HTTP_referer) that contains the URL where the user came from. – Blender Apr 04 '13 at 02:58
  • It is http not a secure connection, but links dont open in the site... users need to open a new tab, any other thing an attacker can do? – Jagex Online Apr 04 '13 at 03:07

2 Answers2

0

Yes. They can discover this information in a couple of ways. If the chat room supports sending images or links, they can send you the URL of an image or page on a machine they control. When your browser requests the item, it passes along a header with the referrer url. In this case, it would be the URL of the page and its arguments.

Another way would be if they have access to the access logs on the server where you host the service. They can see the parameters in that, generally.

I'm sure there are probably others.

Todd
  • 30,472
  • 11
  • 81
  • 89
  • Can they use a way without having access to the server? and not using links, because I do not allow links in the chat – Jagex Online Apr 04 '13 at 03:09
0

Why don't you use history.replaceState to update url without reload page?

window.history.replaceState(statedata, title, YOUR_URL_WITHOUT_LOGIN_INFO);

You can call this function when document is ready after open the the new window

André Piropo
  • 35
  • 7