[WEB SECURITY] websecurity Digest, Vol 30, Issue 13

chris.gilbert at avios.com chris.gilbert at avios.com
Thu Jun 27 07:07:21 EDT 2013


Hi Gautam,

This also looks like it may be a direct object reference, in which case at 
the very least  it would be necessary to ensure that the current user is 
allowed to access the account. For example, if I used a browser plugin to 
amend the post data and put in someone else's account number, would I be 
shown their details?

Cheers, Chris.....




Chris Gilbert
Designer/Developer

W: www.avios.com







From:   websecurity-request at lists.webappsec.org
To:     websecurity at lists.webappsec.org
Date:   27/06/2013 07:56
Subject:        websecurity Digest, Vol 30, Issue 13
Sent by:        "websecurity" <websecurity-bounces at lists.webappsec.org>



Send websecurity mailing list submissions to
                 websecurity at lists.webappsec.org

To subscribe or unsubscribe via the World Wide Web, visit
                 
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


or, via email, send a message with subject or body 'help' to
                 websecurity-request at lists.webappsec.org

You can reach the person managing the list at
                 websecurity-owner at lists.webappsec.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of websecurity digest..."


Today's Topics:

   1.   Sensitive Info in POST and Security Concerns (Gautam)
   2. Re:  Sensitive Info in POST and Security Concerns (Praful Agarwal)
   3. Re:  Sensitive Info in POST and Security Concerns (Gautam)


----------------------------------------------------------------------

Message: 1
Date: Thu, 27 Jun 2013 16:01:58 +1000
From: Gautam <gautam.edu at gmail.com>
To: websecurity at webappsec.org
Subject: [WEB SECURITY]  Sensitive Info in POST and Security Concerns
Message-ID:
 <CAJC+O-Qb=qZ997r_yV8UKbx+xELx3WXO7ap4XTkQzTDMqoaBTQ at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi,

I was recently reviewing code for a friend and some logs generated.

i noticed there was 16 digit number in the url. While I am sure this would
be a major bug if it was in the GET since this would be cached by the
browser when its accessed.

I wanted to wkno what is the risk and opinion about security guys here if 
i
spot this is a POST.

Here is a sample.


POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
****************

So technically this post request send a full 16 digit account number and i
response the page displays the information to the caller.

Let me know your comments.

Thanks,

-- 

Regards,

Gautam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/a664a154/attachment-0001.html
>

------------------------------

Message: 2
Date: Thu, 27 Jun 2013 11:44:33 +0530
From: Praful Agarwal <praful.agarwal at sandrock.in>
To: Gautam <gautam.edu at gmail.com>
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Sensitive Info in POST and Security
                 Concerns
Message-ID:
 <CABfr38-snqJFA4obCYQzhr+9UUkwHwT89836NO+n7iaue2Xndw at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi Gautam,

POST method is more secure than GET method, as the values in the POST
method are not cached in the URL.

*Risks involved in POST method:*

Autocomplete: Forms fields, specially textbox, give suggestions related to
the previously filled values in the form.

Tampering(MITM): A network based attack can be launched to monitor all the
POST and GET data in the local area network.

*Solutions:*

Autocomplete: Use "autocomplete=off" in the form tag

Tampering(MITM): Use HTTPs connections



-- 
..
Regards,
Praful Agawral
Information Security Consultant
Sandrock eSecurities Pvt. Ltd.
New Delhi, India

*Mobile:* +91-98185-59358
*Skype: praful.agarwal8**
Gmail: praful.aga at gmail.com
Hotmail: praful.agarwal at hotmail.com
Linked In: **in.linkedin.com/in/prafulagarwal
Facebook: facebook.com/praful.agarwal**
*



On Thu, Jun 27, 2013 at 11:31 AM, Gautam <gautam.edu at gmail.com> wrote:

> Hi,
>
> I was recently reviewing code for a friend and some logs generated.
>
> i noticed there was 16 digit number in the url. While I am sure this 
would
> be a major bug if it was in the GET since this would be cached by the
> browser when its accessed.
>
> I wanted to wkno what is the risk and opinion about security guys here 
if
> i spot this is a POST.
>
> Here is a sample.
>
>
> POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
> ****************
>
> So technically this post request send a full 16 digit account number and 
i
> response the page displays the information to the caller.
>
> Let me know your comments.
>
> Thanks,
>
> --
>
> Regards,
>
> Gautam
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> 
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

>
>
*
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/65b14178/attachment-0001.html
>

------------------------------

Message: 3
Date: Thu, 27 Jun 2013 16:48:49 +1000
From: Gautam <gautam.edu at gmail.com>
To: Praful Agarwal <praful.agarwal at sandrock.in>
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Sensitive Info in POST and Security
                 Concerns
Message-ID:
 <CAJC+O-QCCYNZRHw1SDcOACtaeSq+DMvFMjaJqGXTSFZ4fKDekg at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Thanks praful for the details.

We are using https and there are no text boxes in response. Just a static
page with some account information.

Will wait to hear more thoughts from this group before i conclude that 
it's
not a real concern, probably just a bad coding practice in my view.

Thanks
On 27/06/2013 4:14 PM, "Praful Agarwal" <praful.agarwal at sandrock.in> 
wrote:

> Hi Gautam,
>
> POST method is more secure than GET method, as the values in the POST
> method are not cached in the URL.
>
> *Risks involved in POST method:*
>
> Autocomplete: Forms fields, specially textbox, give suggestions related 
to
> the previously filled values in the form.
>
> Tampering(MITM): A network based attack can be launched to monitor all 
the
> POST and GET data in the local area network.
>
> *Solutions:*
>
> Autocomplete: Use "autocomplete=off" in the form tag
>
> Tampering(MITM): Use HTTPs connections
>
>
>
> --
> ..
> Regards,
> Praful Agawral
> Information Security Consultant
> Sandrock eSecurities Pvt. Ltd.
> New Delhi, India
>
> *Mobile:* +91-98185-59358
> *Skype: praful.agarwal8**
> Gmail: praful.aga at gmail.com
> Hotmail: praful.agarwal at hotmail.com
> Linked In: **in.linkedin.com/in/prafulagarwal
> Facebook: facebook.com/praful.agarwal**
> *
>
>
>
> On Thu, Jun 27, 2013 at 11:31 AM, Gautam <gautam.edu at gmail.com> wrote:
>
>> Hi,
>>
>> I was recently reviewing code for a friend and some logs generated.
>>
>> i noticed there was 16 digit number in the url. While I am sure this
>> would be a major bug if it was in the GET since this would be cached by 
the
>> browser when its accessed.
>>
>> I wanted to wkno what is the risk and opinion about security guys here 
if
>> i spot this is a POST.
>>
>> Here is a sample.
>>
>>
>> POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
>> ****************
>>
>> So technically this post request send a full 16 digit account number 
and
>> i response the page displays the information to the caller.
>>
>> Let me know your comments.
>>
>> Thanks,
>>
>> --
>>
>> Regards,
>>
>> Gautam
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> 
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

>>
>>
> *
> *
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/88357f93/attachment.html
>

------------------------------

Subject: Digest Footer

_______________________________________________
websecurity mailing list
websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



------------------------------

End of websecurity Digest, Vol 30, Issue 13
*******************************************

-----------------------------------------------------------------------------------------------------------------------------------------
The Mileage Company Limited is a limited company registered in England under company number 2260073 whose registered office address is at
Astral Towers, Betts Way, London Road, Crawley, West Sussex, RH10 9XY.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify the system manager.

This footnote also confirms that this email message has been swept by Mimecast for the presence of computer viruses. 
-----------------------------------------------------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/516ec9f5/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1581 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/516ec9f5/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 5675 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/516ec9f5/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 4617 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130627/516ec9f5/attachment-0002.gif>


More information about the websecurity mailing list