[WEB SECURITY] Sensitive Info in POST and Security Concerns
praful.agarwal at sandrock.in
Thu Jun 27 02:14:33 EDT 2013
POST method is more secure than GET method, as the values in the POST
method are not cached in the URL.
*Risks involved in POST method:*
Autocomplete: Forms fields, specially textbox, give suggestions related to
the previously filled values in the form.
Tampering(MITM): A network based attack can be launched to monitor all the
POST and GET data in the local area network.
Autocomplete: Use "autocomplete=off" in the form tag
Tampering(MITM): Use HTTPs connections
Information Security Consultant
Sandrock eSecurities Pvt. Ltd.
New Delhi, India
Gmail: praful.aga at gmail.com
Hotmail: praful.agarwal at hotmail.com
Linked In: **in.linkedin.com/in/prafulagarwal
On Thu, Jun 27, 2013 at 11:31 AM, Gautam <gautam.edu at gmail.com> wrote:
> I was recently reviewing code for a friend and some logs generated.
> i noticed there was 16 digit number in the url. While I am sure this would
> be a major bug if it was in the GET since this would be cached by the
> browser when its accessed.
> I wanted to wkno what is the risk and opinion about security guys here if
> i spot this is a POST.
> Here is a sample.
> POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
> So technically this post request send a full 16 digit account number and i
> response the page displays the information to the caller.
> Let me know your comments.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity