Hi,
I was recently reviewing code for a friend and some logs generated.
i noticed there was 16 digit number in the url. While I am sure this would
be a major bug if it was in the GET since this would be cached by the
browser when its accessed.
I wanted to wkno what is the risk and opinion about security guys here if i
spot this is a POST.
Here is a sample.
POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
So technically this post request send a full 16 digit account number and i
response the page displays the information to the caller.
Let me know your comments.
Thanks,
--
Regards,
Gautam
Hi Gautam,
POST method is more secure than GET method, as the values in the POST
method are not cached in the URL.
Risks involved in POST method:
Autocomplete: Forms fields, specially textbox, give suggestions related to
the previously filled values in the form.
Tampering(MITM): A network based attack can be launched to monitor all the
POST and GET data in the local area network.
Solutions:
Autocomplete: Use "autocomplete=off" in the form tag
Tampering(MITM): Use HTTPs connections
--
..
Regards,
Praful Agawral
Information Security Consultant
Sandrock eSecurities Pvt. Ltd.
New Delhi, India
Mobile: +91-98185-59358
Skype: praful.agarwal8*
Gmail: praful.aga@gmail.com
Hotmail: praful.agarwal@hotmail.com
Linked In: in.linkedin.com/in/prafulagarwal
Facebook: facebook.com/praful.agarwal
*
On Thu, Jun 27, 2013 at 11:31 AM, Gautam gautam.edu@gmail.com wrote:
Hi,
I was recently reviewing code for a friend and some logs generated.
i noticed there was 16 digit number in the url. While I am sure this would
be a major bug if it was in the GET since this would be cached by the
browser when its accessed.
I wanted to wkno what is the risk and opinion about security guys here if
i spot this is a POST.
Here is a sample.
POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
So technically this post request send a full 16 digit account number and i
response the page displays the information to the caller.
Let me know your comments.
Thanks,
--
Regards,
Gautam
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Thanks praful for the details.
We are using https and there are no text boxes in response. Just a static
page with some account information.
Will wait to hear more thoughts from this group before i conclude that it's
not a real concern, probably just a bad coding practice in my view.
Thanks
On 27/06/2013 4:14 PM, "Praful Agarwal" praful.agarwal@sandrock.in wrote:
Hi Gautam,
POST method is more secure than GET method, as the values in the POST
method are not cached in the URL.
Risks involved in POST method:
Autocomplete: Forms fields, specially textbox, give suggestions related to
the previously filled values in the form.
Tampering(MITM): A network based attack can be launched to monitor all the
POST and GET data in the local area network.
Solutions:
Autocomplete: Use "autocomplete=off" in the form tag
Tampering(MITM): Use HTTPs connections
--
..
Regards,
Praful Agawral
Information Security Consultant
Sandrock eSecurities Pvt. Ltd.
New Delhi, India
Mobile: +91-98185-59358
Skype: praful.agarwal8*
Gmail: praful.aga@gmail.com
Hotmail: praful.agarwal@hotmail.com
Linked In: in.linkedin.com/in/prafulagarwal
Facebook: facebook.com/praful.agarwal
*
On Thu, Jun 27, 2013 at 11:31 AM, Gautam gautam.edu@gmail.com wrote:
Hi,
I was recently reviewing code for a friend and some logs generated.
i noticed there was 16 digit number in the url. While I am sure this
would be a major bug if it was in the GET since this would be cached by the
browser when its accessed.
I wanted to wkno what is the risk and opinion about security guys here if
i spot this is a POST.
Here is a sample.
POST /xyz/myoperation.do?action=getAccountDetails&ACCOUNT_INFORMATION=
So technically this post request send a full 16 digit account number and
i response the page displays the information to the caller.
Let me know your comments.
Thanks,
--
Regards,
Gautam
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org