[WEB SECURITY] Sensitive Info in POST and Security Concerns

Gautam gautam.edu at gmail.com
Thu Jun 27 02:48:49 EDT 2013


Thanks praful for the details.

We are using https and there are no text boxes in response. Just a static
page with some account information.

Will wait to hear more thoughts from this group before i conclude that it's
not a real concern, probably just a bad coding practice in my view.

Thanks
On 27/06/2013 4:14 PM, "Praful Agarwal" <praful.agarwal at sandrock.in> wrote:

> Hi Gautam,
>
> POST method is more secure than GET method, as the values in the POST
> method are not cached in the URL.
>
> *Risks involved in POST method:*
>
> Autocomplete: Forms fields, specially textbox, give suggestions related to
> the previously filled values in the form.
>
> Tampering(MITM): A network based attack can be launched to monitor all the
> POST and GET data in the local area network.
>
> *Solutions:*
>
> Autocomplete: Use "autocomplete=off" in the form tag
>
> Tampering(MITM): Use HTTPs connections
>
>
>
> --
> ..
> Regards,
> Praful Agawral
> Information Security Consultant
> Sandrock eSecurities Pvt. Ltd.
> New Delhi, India
>
> *Mobile:* +91-98185-59358
> *Skype: praful.agarwal8**
> Gmail: praful.aga at gmail.com
> Hotmail: praful.agarwal at hotmail.com
> Linked In: **in.linkedin.com/in/prafulagarwal
> Facebook: facebook.com/praful.agarwal**
> *
>
>
>
> On Thu, Jun 27, 2013 at 11:31 AM, Gautam <gautam.edu at gmail.com> wrote:
>
>> Hi,
>>
>> I was recently reviewing code for a friend and some logs generated.
>>
>> i noticed there was 16 digit number in the url. While I am sure this
>> would be a major bug if it was in the GET since this would be cached by the
>> browser when its accessed.
>>
>> I wanted to wkno what is the risk and opinion about security guys here if
>> i spot this is a POST.
>>
>> Here is a sample.
>>
>>
>> POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
>> ****************
>>
>> So technically this post request send a full 16 digit account number and
>> i response the page displays the information to the caller.
>>
>> Let me know your comments.
>>
>> Thanks,
>>
>> --
>>
>> Regards,
>>
>> Gautam
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
> *
> *
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/88357f93/attachment-0003.html>


More information about the websecurity mailing list