# Revision history [back]

1. Try to use host stealmylogin.com as capture filter. It'll resolve the name and filter by corresponding IP.

2. BUT the site you're talking about is a bit more complex. You'll not spot any clear-text POST request as the second part (credentials transfer) uses different name (example.com) and TLS-encrypted.

They clearly say the next:

If you look at the source code of the demo page, you'll see that we injected a malicious JavaScript file stealmylogin.js into the page, just as an attacker might. This malicious code steals the login info just before its being securely submitted to the service.

And this is exactly what's happening. After you go by http://www.stealmylogin.com/demo.html additional GET request is issued for the script named stealmylogin.js which is transferred gzipped.

The script captures your credentials, opens popup form with them. After you press the button an encrypted TLS session to example.com starts where your credentials are transferred further (using POST, but this POST is encrypted).

So you'll not be able to see any packets using http.request.method == "POST" just because there is no plain HTTP POST used for that and they are transferred to different website.

1. Try to use host stealmylogin.com as capture filter. It'll resolve the name and filter by corresponding IP.

2. BUT the site you're talking about is a bit more complex. You'll not spot any clear-text POST request as the second part (credentials transfer) uses different name (example.com) and is TLS-encrypted.

They clearly say the next:

If you look at the source code of the demo page, you'll see that we injected a malicious JavaScript file stealmylogin.js into the page, just as an attacker might. This malicious code steals the login info just before its being securely submitted to the service.

And this is exactly what's happening. After you go by http://www.stealmylogin.com/demo.html additional GET request is issued for the script named stealmylogin.js which is transferred gzipped.

The script captures your credentials, opens popup form with them. After you press the button an encrypted TLS session to example.com starts where your credentials are transferred further (using POST, but this POST is encrypted).

So you'll not be able to see any packets using http.request.method == "POST" just because there is no plain HTTP POST used for that and they are transferred to different website.

1. Try to use host stealmylogin.com as capture filter. It'll resolve the name and filter by corresponding IP.

2. BUT the site you're talking about is a bit more complex. You'll not spot any clear-text POST request as the second part (credentials transfer) uses different name (example.com) and is TLS-encrypted.

They clearly say the next:

If you look at the source code of the demo page, you'll see that we injected a malicious JavaScript file stealmylogin.js into the page, just as an attacker might. This malicious code steals the login info just before its being securely submitted to the service.

And this is exactly what's happening. After you go by http://www.stealmylogin.com/demo.html additional GET request is issued for the script named stealmylogin.js which is transferred gzipped.

The script captures your credentials, opens popup form with them. After you press the button an encrypted TLS session to example.com starts where your credentials are transferred further (using POST, but this POST is encrypted).

So you'll not be able to see any packets using http.request.method == "POST" just because there is no plain HTTP POST used for that and they are your data is transferred to different website.