[WEB SECURITY] Sensitive Info in POST and Security Concerns

Gautam gautam.edu at gmail.com
Thu Jun 27 02:01:58 EDT 2013


I was recently reviewing code for a friend and some logs generated.

i noticed there was 16 digit number in the url. While I am sure this would
be a major bug if it was in the GET since this would be cached by the
browser when its accessed.

I wanted to wkno what is the risk and opinion about security guys here if i
spot this is a POST.

Here is a sample.

POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=

So technically this post request send a full 16 digit account number and i
response the page displays the information to the caller.

Let me know your comments.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/a664a154/attachment-0003.html>

More information about the websecurity mailing list