PassEye: Sniffing Your Password from HTTP Sessions by Deep Neural Network

Download PDF
Open Webpage

Zhiqing Rui, Jingzheng Wu, Yanjie Shao, Tianyue Luo, Mutian Yang, Yanjun Wu, Bin Wu

Published: 01 Jan 2020, Last Modified: 13 Nov 2024CNCERT 2020EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Passwords are the most widely used method for user authentication in HTTP websites. Password sniffing attacks are considered a common way to steal password. However, most existing methods have many deficiencies in versatility and automation, such as manual analysis, keyword matching, regular expression and SniffPass. In this paper, to better describe the problem, we propose a HTTP Sessions Password Sniffing (HSPS) attack model which is more suitable in HTTP environment. Furthermore, we propose PassEye, a novel deep neural networkbased implementation of HSPS attack. PassEye is a binary neural network classifier that learns features from the HTTP sessions and identifies Password Authentication Session (PAS). We collected 979,681 HTTP sessions from the HTTP and HTTPS websites for training the binary classifier. The results show that PassEye is effective in sniffing the passwords with an accuracy of 99.38%. In addition, several measures are provided to prevent HSPS attacks in the end.

OpenReview is a long-term project to advance science through improved peer review with legal nonprofit status. We gratefully acknowledge the support of the OpenReview Sponsors. © 2025 OpenReview