[WEB SECURITY] Sensitive Info in POST and Security Concerns
gautam.edu at gmail.com
Thu Jun 27 03:31:17 EDT 2013
I think I completely forgot this valid point for getting logged and
security concerns and something that I myself mentioned in the email.
Thanks martin. I will discuss your point too when I put my suggestion.
On 27/06/2013 5:03 PM, "Erlend Oftedal" <erlend at oftedal.no> wrote:
> If you are worried about sensitive information ending up in apache logs
> etc., then POST request with parameters in the URL have the exact same
> problem as GET requests. If however the sensitive information is in the
> request body, it will not.
> On Thu, Jun 27, 2013 at 8:48 AM, Martin O'Neal <martin.oneal at corsaire.com>wrote:
>> > POST method is more secure than GET method,
>> > as the values in the POST method are not
>> > cached in the URL.
>> Actually this statement is wrong on both counts.
>> If the POST request is not followed by a redirect (3xx) then using the
>> history to revisit the page may make the browser resubmit the values
>> entered (often prompting a warning that this will happen, none-the-less).
>> A POST may put arguments in the body of the request, but in the specific
>> example given the question is about an argument in the URI.
>> As to whether this argument is a problem, or should be there at all, is
>> all contextual to the application. Querying the account ID like this, with
>> it in the URI, fits the RESTful model, so is valid from that perspective.
>> It all depends on whether the account ID is considered sensitive
>> The Web Security Mailing List
>> WebSecurity RSS Feed
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> WASC on Twitter
>> websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity