Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] websecurity Digest, Vol 30, Issue 13

CG
chris.gilbert@avios.com
Thu, Jun 27, 2013 11:07 AM

Hi Gautam,

This also looks like it may be a direct object reference, in which case at
the very least  it would be necessary to ensure that the current user is
allowed to access the account. For example, if I used a browser plugin to
amend the post data and put in someone else's account number, would I be
shown their details?

Cheers, Chris.....

Chris Gilbert
Designer/Developer

W: www.avios.com

From:  websecurity-request@lists.webappsec.org
To:    websecurity@lists.webappsec.org
Date:  27/06/2013 07:56
Subject:        websecurity Digest, Vol 30, Issue 13
Sent by:        "websecurity" websecurity-bounces@lists.webappsec.org

Send websecurity mailing list submissions to
websecurity@lists.webappsec.org

To subscribe or unsubscribe via the World Wide Web, visit

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

or, via email, send a message with subject or body 'help' to
websecurity-request@lists.webappsec.org

You can reach the person managing the list at
websecurity-owner@lists.webappsec.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of websecurity digest..."

Today's Topics:

  1. Sensitive Info in POST and Security Concerns (Gautam)
  2. Re:  Sensitive Info in POST and Security Concerns (Praful Agarwal)
  3. Re:  Sensitive Info in POST and Security Concerns (Gautam)

Message: 1
Date: Thu, 27 Jun 2013 16:01:58 +1000
From: Gautam gautam.edu@gmail.com
To: websecurity@webappsec.org
Subject: [WEB SECURITY]  Sensitive Info in POST and Security Concerns
Message-ID:
CAJC+O-Qb=qZ997r_yV8UKbx+xELx3WXO7ap4XTkQzTDMqoaBTQ@mail.gmail.com
Content-Type: text/plain; charset="iso-8859-1"

Hi,

I was recently reviewing code for a friend and some logs generated.

i noticed there was 16 digit number in the url. While I am sure this would
be a major bug if it was in the GET since this would be cached by the
browser when its accessed.

I wanted to wkno what is the risk and opinion about security guys here if
i
spot this is a POST.

Here is a sample.

POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=

So technically this post request send a full 16 digit account number and i
response the page displays the information to the caller.

Let me know your comments.

Thanks,

--

Regards,

Gautam

Hi Gautam, This also looks like it may be a direct object reference, in which case at the very least it would be necessary to ensure that the current user is allowed to access the account. For example, if I used a browser plugin to amend the post data and put in someone else's account number, would I be shown their details? Cheers, Chris..... Chris Gilbert Designer/Developer W: www.avios.com From: websecurity-request@lists.webappsec.org To: websecurity@lists.webappsec.org Date: 27/06/2013 07:56 Subject: websecurity Digest, Vol 30, Issue 13 Sent by: "websecurity" <websecurity-bounces@lists.webappsec.org> Send websecurity mailing list submissions to websecurity@lists.webappsec.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org or, via email, send a message with subject or body 'help' to websecurity-request@lists.webappsec.org You can reach the person managing the list at websecurity-owner@lists.webappsec.org When replying, please edit your Subject line so it is more specific than "Re: Contents of websecurity digest..." Today's Topics: 1. Sensitive Info in POST and Security Concerns (Gautam) 2. Re: Sensitive Info in POST and Security Concerns (Praful Agarwal) 3. Re: Sensitive Info in POST and Security Concerns (Gautam) ---------------------------------------------------------------------- Message: 1 Date: Thu, 27 Jun 2013 16:01:58 +1000 From: Gautam <gautam.edu@gmail.com> To: websecurity@webappsec.org Subject: [WEB SECURITY] Sensitive Info in POST and Security Concerns Message-ID: <CAJC+O-Qb=qZ997r_yV8UKbx+xELx3WXO7ap4XTkQzTDMqoaBTQ@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Hi, I was recently reviewing code for a friend and some logs generated. i noticed there was 16 digit number in the url. While I am sure this would be a major bug if it was in the GET since this would be cached by the browser when its accessed. I wanted to wkno what is the risk and opinion about security guys here if i spot this is a POST. Here is a sample. POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION= **************** So technically this post request send a full 16 digit account number and i response the page displays the information to the caller. Let me know your comments. Thanks, -- Regards, Gautam
Attached image Attached image Attached image
Empathy v1.0   2024 ©Harmonylists.com