Post cover image

June 14, 2026

Research On Packet Sniffing, HTTP and HTTPS Vulnerabilities, and Lack of Password Confirmation

Introduction

FARAZ A.K

11 min read

In today's digital world, web applications and network communications play a crucial role in business operations, online services, and personal activities. As organizations increasingly rely on internet-based technologies, protecting sensitive information from cyber threats has become a major concern. Attackers continuously search for weaknesses in network communication protocols, authentication mechanisms, and application security controls to gain unauthorized access to systems and data.

Among the most common security concerns are packet sniffing attacks, insecure HTTP communication, HTTPS misconfigurations, and weak authentication practices. These vulnerabilities can expose confidential information, compromise user accounts, and negatively impact an organization's security posture. Understanding how these vulnerabilities work and how they can be prevented is essential for developers, system administrators, and cybersecurity professionals.

This report explores packet sniffing, HTTP and HTTPS vulnerabilities, password confirmation mechanisms, and related security risks. It also discusses practical security considerations and best practices that organizations can implement to protect their applications and users from common cyber threats.

Packet Sniffing

Packet sniffing is the process of capturing and analysing network packets as they travel across a network. A packet is a small unit of data transmitted between devices over a network. Packet sniffing tools allow users to inspect the contents of these packets and monitor network communications in real time.

Packet sniffing is commonly used by network administrators for troubleshooting, performance analysis, and security monitoring. However, attackers may also use packet sniffing to intercept sensitive information such as usernames, passwords, session cookies, email communications, and financial data.

When network traffic is not encrypted, attackers positioned on the same network can capture packets and analyse their contents. This makes packet sniffing one of the most effective techniques for collecting information during cyberattacks. Packet sniffing can be classified into two categories:

Passive Packet Sniffing

Passive packet sniffing involves monitoring network traffic without modifying it. The attacker simply captures packets and analyses the information contained within them.

Active Packet Sniffing

Active packet sniffing involves interacting with the network to redirect or manipulate traffic. This is commonly used in switched network environments where direct packet capture may not be possible.

How Packet Sniffing is Used in Network Attacks

Attackers use packet sniffing to gather information that can later be used for exploitation. By monitoring network traffic, attackers can identify usernames, passwords, session identifiers, internal IP addresses, and other valuable information. Common attack scenarios include: Credential Theft Attackers capture login credentials transmitted over insecure protocols. Session Hijacking Session cookies captured through packet sniffing can be used to impersonate legitimate users. Information Gathering Network traffic may reveal sensitive organizational information such as internal systems, server names, and application architecture. Password Collection Unencrypted authentication mechanisms can expose passwords directly within captured packets. Reconnaissance Packet sniffing provides valuable information about network devices, operating systems, applications, and communication patterns.

Packet Sniffing Process

None

Tools Used for Packet Sniffing

Several tools are commonly used for packet capture and network analysis.

Wireshark :

Wireshark is one of the most popular and widely used network packet analysis tools. It is an open-source application that allows users to capture and inspect network traffic in real time. Network administrators, security analysts, and cybersecurity professionals use Wireshark to monitor network activity, troubleshoot connectivity issues, analyze protocols, and investigate security incidents. Its user-friendly graphical interface and support for thousands of network protocols make it an essential tool for network analysis and digital forensics.

How It Works and Example

Wireshark works by capturing packets that travel through a network interface and displaying them in a readable format. It allows users to examine packet details such as source and destination IP addresses, protocols used, and transmitted data. For example, if a user cannot access a website, a network administrator can use Wireshark to capture network traffic and identify whether DNS requests, TCP connections, or HTTP requests are failing. By analyzing the captured packets, the administrator can quickly locate and resolve the network issue.

Tcpdump:

Tcpdump is a powerful command-line packet capture and network analysis tool commonly used on Linux and Unix-based operating systems. It is lightweight, fast, and highly efficient for monitoring network traffic directly from the terminal. Unlike graphical tools such as Wireshark, Tcpdump operates through command-line commands, making it suitable for servers and remote systems where graphical interfaces may not be available. Network administrators and security professionals frequently use Tcpdump for troubleshooting network issues, monitoring traffic, and analyzing suspicious network activity.

How It Works and Example

Tcpdump works by capturing packets that pass through a selected network interface and displaying their details in real time. It supports advanced filtering options that allow users to capture only specific traffic, such as packets from a particular IP address, port, or protocol. For example, a system administrator troubleshooting a web server issue can use Tcpdump to capture HTTP or HTTPS traffic and verify whether client requests are reaching the server correctly. This helps identify network problems, detect malicious activity, and perform security analysis. Common use cases of Tcpdump include server monitoring, network troubleshooting, traffic analysis, and cybersecurity investigations.

Ettercap :

Ettercap is a network security and penetration testing tool designed for network monitoring, packet capture, and protocol analysis. It is widely used by cybersecurity professionals to analyze network traffic and assess network security. Ettercap supports both passive and active network analysis techniques and provides features for monitoring communications between devices on a network. Due to its ability to inspect and analyze network traffic, it is commonly used during security assessments and penetration testing activities to identify potential weaknesses in network configurations.

How It Works and Example

Ettercap works by capturing network traffic and analyzing communication between devices connected to the same network. It can monitor packets, inspect protocols, and provide detailed information about network activity. For example, during a security assessment, a penetration tester may use Ettercap to observe traffic flowing between client devices and a server to identify insecure protocols or sensitive information being transmitted without encryption. This helps organizations detect security weaknesses and improve their network security posture. Common use cases of Ettercap include security testing, network assessment, protocol analysis, and penetration testing.

NetworkMiner:

NetworkMiner is a network forensic analysis tool used to analyze captured network traffic and extract valuable information from network packets. Unlike traditional packet sniffing tools, NetworkMiner focuses on forensic investigation by automatically identifying hosts, extracting transferred files, recovering credentials, and reconstructing network sessions. It is widely used by digital forensic investigators, incident response teams, and cybersecurity professionals to analyze network activity and investigate security incidents.

How It Works and Example

NetworkMiner works by processing packet capture (PCAP) files or live network traffic and extracting useful information such as files, images, credentials, operating systems, and communication details. It automatically reconstructs network sessions, making it easier to understand what occurred during a network event. For example, during a malware investigation, a security analyst can use NetworkMiner to analyze captured traffic and identify malicious files downloaded by an infected system. This helps investigators determine the source of the attack and assess its impact. Common use cases of NetworkMiner include digital forensics, incident response, malware analysis, and network security investigations.

HTTP and HTTPS Vulnerabilities

HTTP and HTTPS are communication protocols used for data exchange between web browsers and servers. While both protocols serve similar purposes, they differ significantly in terms of security.

HTTP transmits information in plain text, making it vulnerable to interception and manipulation. HTTPS uses SSL/TLS encryption to protect communication and ensure confidentiality.

Understanding the security differences between HTTP and HTTPS is essential for protecting sensitive information transmitted over the internet.

What is HTTP?

HTTP (Hypertext Transfer Protocol) is a communication protocol used to transfer information between web browsers and web servers. Example: GET /login HTTP/1.1 Host: example.com

HTTP does not encrypt transmitted data. As a result, anyone capable of intercepting network traffic can view the information being exchanged.

Although HTTP is simple and efficient, it is not suitable for transmitting sensitive information such as passwords, payment details, and personal data

Risks of Using HTTP Instead of HTTPS

Using HTTP introduces several security risks because data is transmitted in plain text. Credential Theft Attackers can capture usernames and passwords transmitted through HTTP connections. Session Hijacking Session cookies transmitted over HTTP can be intercepted and reused by attackers. Data Interception Sensitive information may be viewed by unauthorized individuals monitoring network traffic. Man-in-the-Middle Attacks Attackers may intercept and modify communications between users and servers. Information Disclosure Confidential information such as personal details, emails, and payment information may be exposed.

What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP. It uses SSL/TLS encryption to protect communication between browsers and servers. HTTPS provides: • Confidentiality • Integrity • Authentication • Secure communication Encryption ensures that intercepted traffic cannot be easily read or modified by attackers.

HTTPS Misconfigurations

Although HTTPS provides strong security, improper implementation can still introduce vulnerabilities.

Expired Certificates : Using expired certificates may cause browsers to display security warnings and reduce user trust.

Weak TLS Versions : Older protocols such as SSL and TLS 1.0 contain known security weaknesses and should be disabled.

Improper Certificate Validation : Applications that fail to validate certificates correctly may become vulnerable to man-in-themiddle attacks.

Mixed Content Issues : HTTPS pages that load resources over HTTP may expose users to security risks.

Weak Cipher Suites : Using outdated encryption algorithms can weaken HTTPS protection and increase the risk of compromise.

Improper Redirect Configuration : Applications that fail to enforce HTTPS may allow users to access insecure HTTP versions of the website.

Lack of Password Confirmation

Password confirmation is a security and usability feature commonly implemented in registration forms, password reset forms, and password change forms. It requires users to enter their chosen password twice to verify that both entries match before the password is accepted by the system.

The primary purpose of password confirmation is to reduce user errors during account creation or password updates. Since passwords are often hidden using asterisks or dots, users may accidentally enter incorrect characters without realizing it. The confirmation field helps ensure that the intended password is entered correctly.

Password confirmation improves both security and user experience by reducing login failures caused by typing mistakes and minimizing unnecessary password recovery requests. Importance of Password Confirmation Fields Password confirmation plays an important role in secure authentication systems. Preventing Typing Errors Users may accidentally enter incorrect characters while creating passwords. The confirmation field helps identify these mistakes immediately. Reducing Account Lockouts Incorrectly created passwords may prevent users from accessing their accounts. Confirmation fields reduce this risk. Improving User Experience Users can verify their intended password before account creation or password changes are finalized. Supporting Secure Authentication Password confirmation helps ensure that the user's chosen password is stored correctly. Reducing Support Requests Organizations receive fewer password reset requests when users create passwords correctly during registration.

Risks Associated with Missing Password Confirmation

Applications that fail to implement password confirmation mechanisms may expose users to several issues.

User Mistakes : Users may unknowingly create passwords different from what they intended.

Authentication Failures : Incorrect passwords may prevent users from accessing their accounts immediately after registration.

Increased Password Reset Requests : Users who cannot remember the mistakenly entered password may need to reset it.

Reduced User Satisfaction : Repeated login failures may frustrate users and negatively impact their experience.

Administrative Overhead : Support teams may receive additional requests related to password recovery and account access issues.

Example Scenario

Consider a user registering for a new online service. The user intends to create the password: Secure@123 However, while typing, they accidentally enter: Secure#123 If no confirmation field exists, the incorrect password is saved. Later, the user attempts to log in using the intended password and fails repeatedly. A password confirmation field would have detected the mismatch immediately and prevented the issue.

Clickjacking

Clickjacking is a web security vulnerability that tricks users into clicking on elements different from what they perceive. The attack is often performed using transparent or invisible frames placed over legitimate web content.

The attacker creates a malicious webpage that loads a target website inside an invisible iframe. The victim believes they are interacting with harmless content, but their clicks are actually performed on the hidden target application.

Clickjacking is also known as UI Redressing because it manipulates the user interface to deceive users into performing unintended actions.

How Clickjacking Works

A clickjacking attack typically follows these steps:

  1. The attacker creates a malicious webpage.
  2. The target website is loaded within a transparent iframe.
  3. The attacker positions attractive content over the hidden iframe.
  4. The victim interacts with the visible content.
  5. The click is redirected to the hidden application.
  6. Unintended actions are performed.

Because the victim performs the click voluntarily, traditional authentication mechanisms may not prevent the attack.

Clickjacking Attack Process

None

Practical Lab Demonstrations

Lab 1: Basic Clickjacking with CSRF token protection

Overview

The website allows itself to be loaded inside an iframe. The attacker places a transparent iframe over a fake button. When the victim clicks the fake button, they actually click Delete Account.

Steps

  1. Load /my-account inside an iframe.
  2. Make iframe transparent using opacity.
  3. Align fake button with Delete Account.
  4. Deliver exploit.
  5. Victim clicks fake button.
  6. Account gets deleted.

Important Points

  • Uses transparent iframe.
  • No protection like X-Frame-Options.
  • Victim clicks hidden button unknowingly.
  • Basic clickjacking attack.

Result

Victim's email address is changed to the attacker's chosen email.

None

Lab 2: Clickjacking with Prefilled Form Input

Overview

The email field can be pre-filled through a URL parameter. The attacker loads the page with an attacker-controlled email address and clickjacks the Update Email button.

Steps

  1. Create an iframe containing: /my-account?email=attacker@email.com

  2. Align fake content with the Update Email button.

  3. Make the iframe transparent.

  4. Deliver the exploit.

Important Points

  • Email value is controlled through URL parameters.
  • Only one click is needed.
  • Victim submits attacker-controlled data.

Result

Victim's email address is changed to the attacker's chosen email.

None

Lab 3: Clickjacking with Frame Buster Script

Overview

The website uses a frame-busting script to prevent clickjacking. The attacker bypasses it using a sandboxed iframe.

Steps

  1. Create an iframe with: sandbox="allow-forms"

  2. Load the email update page.

  3. Align the fake button.

  4. Deliver the exploit.

Important Points

  • Frame-buster tries to escape the iframe.
  • Sandbox restricts the frame-buster.
  • allow-forms permits form submission.

Result

Frame-buster protection is bypassed and the victim's email is changed.

None

Lab 4: Clickjacking with DOM XSS

Overview

The feedback page contains a DOM-based XSS vulnerability. Clickjacking is used to force the victim to submit a form containing an XSS payload.

Steps

  1. Load the feedback page in an iframe.
  2. Insert an XSS payload into a URL parameter.
  3. Align the fake button with Submit Feedback.
  4. Victim clicks the fake button.

Important Points

  • Combines Clickjacking + DOM XSS.
  • User-controlled input reaches the DOM.
  • JavaScript executes in the victim's browser.

Result

The XSS payload executes and the print dialog appears.

None

Lab 5: Multistep Clickjacking

Overview

The website requires two clicks to delete an account:

  1. Delete Account
  2. Confirm Yes The attacker clickjacks both actions.

Steps

  1. Create two fake buttons.
  2. Align first button with Delete Account.
  3. Align second button with Yes.
  4. Deliver the exploit.

Important Points

  • Multiple user interactions can be hijacked.
  • Confirmation pages alone do not stop clickjacking.
  • The iframe remains active across pages.

Result

Victim unknowingly completes both steps and deletes their account.

None

Prevention and Mitigation Strategies Organizations should implement multiple security controls to reduce the risk of packet sniffing, HTTPS vulnerabilities, authentication issues, and clickjacking attacks. Packet Sniffing Protection

  • Use HTTPS encryption.
  • Secure wireless networks.
  • Use VPN solutions.
  • Encrypt sensitive traffic.
  • Monitor network activity.

HTTP/HTTPS Security

  • Enforce HTTPS across the application.
  • Disable outdated TLS versions.
  • Use valid SSL/TLS certificates.
  • Enable HSTS.
  • Avoid mixed-content issues.

Password Confirmation Security

  • Require password confirmation fields.
  • • Validate passwords server-side.
  • • Display validation errors clearly.
  • • Enforce strong password policies.

Clickjacking Protection

X-Frame-Options : Prevent pages from being loaded inside frames.

Content Security Policy (CSP) : Restrict which domains may embed application content.

Frame Busting Techniques : Prevent unauthorized framing of web pages.

SameSite Cookies : Reduce the effectiveness of certain clickjacking attacks.

Importance of Secure Web Applications

Secure web applications protect user information, maintain trust, and reduce the likelihood of successful cyberattacks. Organizations must continuously evaluate their security posture and address weaknesses before they can be exploited.

Regular security testing helps identify vulnerabilities related to packet sniffing, insecure communication, authentication weaknesses, and clickjacking attacks. Many organizations work with penetration testing vendors to identify and remediate security issues before attackers can exploit them.

Conclusion

Packet sniffing, insecure HTTP communication, HTTPS misconfigurations, weak password validation mechanisms, and clickjacking vulnerabilities can all pose significant security risks to modern web applications. Attackers may exploit these weaknesses to intercept sensitive information, compromise user accounts, or perform unauthorized actions. By implementing secure communication protocols, strong authentication practices, proper password validation, clickjacking protections, and regular security assessments, organizations can significantly improve their overall security posture and better protect users from cyber threats.

References