[WEB SECURITY] Sensitive Info in POST and Security Concerns

Gautam gautam.edu at gmail.com
Thu Jun 27 03:31:17 EDT 2013


Thanks erlend

I think I completely forgot this valid point for getting logged and
security concerns and something that I myself mentioned in the email.

Thanks martin. I will discuss your point too when I put my suggestion.

Thanks
Gautam
On 27/06/2013 5:03 PM, "Erlend Oftedal" <erlend at oftedal.no> wrote:

> If you are worried about sensitive information ending up in apache logs
> etc., then POST request with parameters in the URL have the exact same
> problem as GET requests. If however the sensitive information is in the
> request body, it will not.
>
> Erlend
>
>
> On Thu, Jun 27, 2013 at 8:48 AM, Martin O'Neal <martin.oneal at corsaire.com>wrote:
>
>>
>> > POST method is more secure than GET method,
>> > as the values in the POST method are not
>> > cached in the URL.
>>
>> Actually this statement is wrong on both counts.
>>
>> If the POST request is not followed by a redirect (3xx) then using the
>> history to revisit the page may make the browser resubmit the values
>> entered (often prompting a warning that this will happen, none-the-less).
>>
>> A POST may put arguments in the body of the request, but in the specific
>> example given the question is about an argument in the URI.
>>
>> As to whether this argument is a problem, or should be there at all, is
>> all contextual to the application. Querying the account ID like this, with
>> it in the URI, fits the RESTful model, so is valid from that perspective.
>>
>> It all depends on whether the account ID is considered sensitive
>> information.
>>
>> Martin...
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/a856353f/attachment-0003.html>


More information about the websecurity mailing list