Hi, I was recently reviewing code for a friend and some logs generated. i noticed there was 16 digit number in the url. While I am sure this would be a major bug if it was in the GET since this would be cached by the browser when its accessed. I wanted to wkno what is the risk and opinion about security guys here if i spot this is a POST. Here is a sample. POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION= **************** So technically this post request send a full 16 digit account number and i response the page displays the information to the caller. Let me know your comments. Thanks, -- Regards, Gautam

Hi Gautam, POST method is more secure than GET method, as the values in the POST method are not cached in the URL. *Risks involved in POST method:* Autocomplete: Forms fields, specially textbox, give suggestions related to the previously filled values in the form. Tampering(MITM): A network based attack can be launched to monitor all the POST and GET data in the local area network. *Solutions:* Autocomplete: Use "autocomplete=off" in the form tag Tampering(MITM): Use HTTPs connections -- .. Regards, Praful Agawral Information Security Consultant Sandrock eSecurities Pvt. Ltd. New Delhi, India *Mobile:* +91-98185-59358 *Skype: praful.agarwal8** Gmail: praful.aga@gmail.com Hotmail: praful.agarwal@hotmail.com Linked In: **in.linkedin.com/in/prafulagarwal Facebook: facebook.com/praful.agarwal** * On Thu, Jun 27, 2013 at 11:31 AM, Gautam <gautam.edu@gmail.com> wrote: > Hi, > > I was recently reviewing code for a friend and some logs generated. > > i noticed there was 16 digit number in the url. While I am sure this would > be a major bug if it was in the GET since this would be cached by the > browser when its accessed. > > I wanted to wkno what is the risk and opinion about security guys here if > i spot this is a POST. > > Here is a sample. > > > POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION= > **************** > > So technically this post request send a full 16 digit account number and i > response the page displays the information to the caller. > > Let me know your comments. > > Thanks, > > -- > > Regards, > > Gautam > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > * *

Thanks praful for the details. We are using https and there are no text boxes in response. Just a static page with some account information. Will wait to hear more thoughts from this group before i conclude that it's not a real concern, probably just a bad coding practice in my view. Thanks On 27/06/2013 4:14 PM, "Praful Agarwal" <praful.agarwal@sandrock.in> wrote: > Hi Gautam, > > POST method is more secure than GET method, as the values in the POST > method are not cached in the URL. > > *Risks involved in POST method:* > > Autocomplete: Forms fields, specially textbox, give suggestions related to > the previously filled values in the form. > > Tampering(MITM): A network based attack can be launched to monitor all the > POST and GET data in the local area network. > > *Solutions:* > > Autocomplete: Use "autocomplete=off" in the form tag > > Tampering(MITM): Use HTTPs connections > > > > -- > .. > Regards, > Praful Agawral > Information Security Consultant > Sandrock eSecurities Pvt. Ltd. > New Delhi, India > > *Mobile:* +91-98185-59358 > *Skype: praful.agarwal8** > Gmail: praful.aga@gmail.com > Hotmail: praful.agarwal@hotmail.com > Linked In: **in.linkedin.com/in/prafulagarwal > Facebook: facebook.com/praful.agarwal** > * > > > > On Thu, Jun 27, 2013 at 11:31 AM, Gautam <gautam.edu@gmail.com> wrote: > >> Hi, >> >> I was recently reviewing code for a friend and some logs generated. >> >> i noticed there was 16 digit number in the url. While I am sure this >> would be a major bug if it was in the GET since this would be cached by the >> browser when its accessed. >> >> I wanted to wkno what is the risk and opinion about security guys here if >> i spot this is a POST. >> >> Here is a sample. >> >> >> POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION= >> **************** >> >> So technically this post request send a full 16 digit account number and >> i response the page displays the information to the caller. >> >> Let me know your comments. >> >> Thanks, >> >> -- >> >> Regards, >> >> Gautam >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> > * > * >