[WEB SECURITY] Sensitive Info in POST and Security Concerns

Praful Agarwal praful.agarwal at sandrock.in
Thu Jun 27 02:14:33 EDT 2013


Hi Gautam,

POST method is more secure than GET method, as the values in the POST
method are not cached in the URL.

*Risks involved in POST method:*

Autocomplete: Forms fields, specially textbox, give suggestions related to
the previously filled values in the form.

Tampering(MITM): A network based attack can be launched to monitor all the
POST and GET data in the local area network.

*Solutions:*

Autocomplete: Use "autocomplete=off" in the form tag

Tampering(MITM): Use HTTPs connections



-- 
..
Regards,
Praful Agawral
Information Security Consultant
Sandrock eSecurities Pvt. Ltd.
New Delhi, India

*Mobile:* +91-98185-59358
*Skype: praful.agarwal8**
Gmail: praful.aga at gmail.com
Hotmail: praful.agarwal at hotmail.com
Linked In: **in.linkedin.com/in/prafulagarwal
Facebook: facebook.com/praful.agarwal**
*



On Thu, Jun 27, 2013 at 11:31 AM, Gautam <gautam.edu at gmail.com> wrote:

> Hi,
>
> I was recently reviewing code for a friend and some logs generated.
>
> i noticed there was 16 digit number in the url. While I am sure this would
> be a major bug if it was in the GET since this would be cached by the
> browser when its accessed.
>
> I wanted to wkno what is the risk and opinion about security guys here if
> i spot this is a POST.
>
> Here is a sample.
>
>
> POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
> ****************
>
> So technically this post request send a full 16 digit account number and i
> response the page displays the information to the caller.
>
> Let me know your comments.
>
> Thanks,
>
> --
>
> Regards,
>
> Gautam
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
*
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/65b14178/attachment-0003.html>


More information about the websecurity mailing list