[WEB SECURITY] Sensitive Info in POST and Security Concerns

Praful Agarwal praful.agarwal at sandrock.in
Thu Jun 27 02:14:33 EDT 2013

Hi Gautam,

POST method is more secure than GET method, as the values in the POST
method are not cached in the URL.

*Risks involved in POST method:*

Autocomplete: Forms fields, specially textbox, give suggestions related to
the previously filled values in the form.

Tampering(MITM): A network based attack can be launched to monitor all the
POST and GET data in the local area network.


Autocomplete: Use "autocomplete=off" in the form tag

Tampering(MITM): Use HTTPs connections

Praful Agawral
Information Security Consultant
Sandrock eSecurities Pvt. Ltd.
New Delhi, India

*Mobile:* +91-98185-59358
*Skype: praful.agarwal8**
Gmail: praful.aga at gmail.com
Hotmail: praful.agarwal at hotmail.com
Linked In: **in.linkedin.com/in/prafulagarwal
Facebook: facebook.com/praful.agarwal**

On Thu, Jun 27, 2013 at 11:31 AM, Gautam <gautam.edu at gmail.com> wrote:

> Hi,
> I was recently reviewing code for a friend and some logs generated.
> i noticed there was 16 digit number in the url. While I am sure this would
> be a major bug if it was in the GET since this would be cached by the
> browser when its accessed.
> I wanted to wkno what is the risk and opinion about security guys here if
> i spot this is a POST.
> Here is a sample.
> POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
> ****************
> So technically this post request send a full 16 digit account number and i
> response the page displays the information to the caller.
> Let me know your comments.
> Thanks,
> --
> Regards,
> Gautam
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/65b14178/attachment-0003.html>

More information about the websecurity mailing list