Hi Gautam,
This also looks like it may be a direct object reference, in which case at
the very least it would be necessary to ensure that the current user is
allowed to access the account. For example, if I used a browser plugin to
amend the post data and put in someone else's account number, would I be
shown their details?
Cheers, Chris.....
Chris Gilbert
Designer/Developer
W: www.avios.com
From: websecurity-request@lists.webappsec.org
To: websecurity@lists.webappsec.org
Date: 27/06/2013 07:56
Subject: websecurity Digest, Vol 30, Issue 13
Sent by: "websecurity" websecurity-bounces@lists.webappsec.org
Send websecurity mailing list submissions to
websecurity@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
or, via email, send a message with subject or body 'help' to
websecurity-request@lists.webappsec.org
You can reach the person managing the list at
websecurity-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of websecurity digest..."
Today's Topics:
- Sensitive Info in POST and Security Concerns (Gautam)
- Re: Sensitive Info in POST and Security Concerns (Praful Agarwal)
- Re: Sensitive Info in POST and Security Concerns (Gautam)
Message: 1
Date: Thu, 27 Jun 2013 16:01:58 +1000
From: Gautam gautam.edu@gmail.com
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Sensitive Info in POST and Security Concerns
Message-ID:
CAJC+O-Qb=qZ997r_yV8UKbx+xELx3WXO7ap4XTkQzTDMqoaBTQ@mail.gmail.com
Content-Type: text/plain; charset="iso-8859-1"
Hi,
I was recently reviewing code for a friend and some logs generated.
i noticed there was 16 digit number in the url. While I am sure this would
be a major bug if it was in the GET since this would be cached by the
browser when its accessed.
I wanted to wkno what is the risk and opinion about security guys here if
i
spot this is a POST.
Here is a sample.
POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
So technically this post request send a full 16 digit account number and i
response the page displays the information to the caller.
Let me know your comments.
Thanks,
--
Regards,
Gautam
Hi Gautam,
This also looks like it may be a direct object reference, in which case at
the very least it would be necessary to ensure that the current user is
allowed to access the account. For example, if I used a browser plugin to
amend the post data and put in someone else's account number, would I be
shown their details?
Cheers, Chris.....
Chris Gilbert
Designer/Developer
W: www.avios.com
From: websecurity-request@lists.webappsec.org
To: websecurity@lists.webappsec.org
Date: 27/06/2013 07:56
Subject: websecurity Digest, Vol 30, Issue 13
Sent by: "websecurity" <websecurity-bounces@lists.webappsec.org>
Send websecurity mailing list submissions to
websecurity@lists.webappsec.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
or, via email, send a message with subject or body 'help' to
websecurity-request@lists.webappsec.org
You can reach the person managing the list at
websecurity-owner@lists.webappsec.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of websecurity digest..."
Today's Topics:
1. Sensitive Info in POST and Security Concerns (Gautam)
2. Re: Sensitive Info in POST and Security Concerns (Praful Agarwal)
3. Re: Sensitive Info in POST and Security Concerns (Gautam)
----------------------------------------------------------------------
Message: 1
Date: Thu, 27 Jun 2013 16:01:58 +1000
From: Gautam <gautam.edu@gmail.com>
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Sensitive Info in POST and Security Concerns
Message-ID:
<CAJC+O-Qb=qZ997r_yV8UKbx+xELx3WXO7ap4XTkQzTDMqoaBTQ@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
I was recently reviewing code for a friend and some logs generated.
i noticed there was 16 digit number in the url. While I am sure this would
be a major bug if it was in the GET since this would be cached by the
browser when its accessed.
I wanted to wkno what is the risk and opinion about security guys here if
i
spot this is a POST.
Here is a sample.
POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
****************
So technically this post request send a full 16 digit account number and i
response the page displays the information to the caller.
Let me know your comments.
Thanks,
--
Regards,
Gautam