HTTP Security 'Get'

Question

HTTP Security 'Get'

What are some HTTP Get recommendations for security?

When should HTTP get querystring values be hidden?

Change The legacy application has all of the XOR 'encrypted' request parameters. It also passes things like AccountID in the query string. So I wonder if this is good practice and how I will correct these things if they are not.

Edit -

One of the methods that I could use to solve this issue would be to create a base class (this is just pseudocode):

public mustinherit class QSBase public shared Unique as long = 0 private m_ID as string public readonly property ID get return m_ID end get end property public sub new() m_ID = Unique 'somehow get a unique value for this querystring Unique += 1 end sub public function IDQueryString() as string return "ID=" & m_ID end function end class

Then, for each page in the application, I would create a derived class with properties for each query string value.

 public class QSPage1 inherits QSBase private m_AccountID as string public readonly property AccountID as string get return m_AccountID end get end property public sub new(byval _AccountID as string) m_AccountID = _AccountID end sub end class

Then, when I pass the query string to pop-ups or other pages, I add the appropriate class, save it in the session and pass the unique identifier in the query string

 Dim qs as new QSPage1("123456") Session(qs.ID) = qs Server.Transfer("Page1.aspx?" & qs.IDQueryString()) 'or CreatePopup("Page1.aspx?" & qs.IDQueryString())

Inside the page, I access the values by pulling a unique identifier and referring to the saved session value:

 AccountID = CType(Session(Request.QueryString("ID")), QSPage1).AccountID()

Of course, this can be placed in a function or class on the page.

Some of the benefits of this approach are as follows:

No query lines are displayed except for an unrelated identifier.
This is pretty easy to implement in existing code.

Some of the disadvantages are as follows:

A long session can accumulate many of these request objects.
The unique identifier must be “truly unique” for this session.

Can anyone think of other advantages / disadvantages or a better way to do this (other than rewriting the application)?

Edit -

Thanks to everyone who says use HTTPS and POST. Unfortunately, I am looking for answers that are related to using only GET. (If you cannot explain how to send data to popups without using QueryString, Session, or Javascript?)

+4

http get

user79755 May 18, '09 at 1:42

source share

8 answers

Jeff · Answer 1 · 2009-05-18T01:44:36+0000

If you have something worth shading, I would suggest switching to HTTPS and resetting HTTP.

Usually I did not add anything related to the identifiers of customers, suppliers or orders in the query line. But it's me.

razenha · Answer 2 · 2009-05-18T01:50:57+0000

I think you should never hide GET options.

If you need to hide the parameters in the query line in the navigation bar, you should use a post.

If you want to prevent you from intercepting GET data, use HTTPS.

Eli · Answer 3 · 2009-05-18T01:47:59+0000

Perhaps you could expand on what you are trying to accomplish? In general, you should avoid posting important URLs (such as credentials). URLs have a "leak" habit.

General tip: set up your robots.txt file so that Google does not index any of these pages and does not use a one-time login token (or something else).

Edit: I would suggest not using weak XOR encryption. If you are worried that people are changing URL parameters, add a secure hash. If you really need to hide the information contained in the request, then encrypt it for real, do not roll back your own weak algorithm.

sybreon · Answer 4 · 2009-05-18T02:16:20+0000

Never protect information in a GET request. These requests are logged directly by the web server. Thus, the information is available in text format for a third-party to view and hack if they want to.

If you need to transfer credentials, use a cookie to save status information and put everything together via SSL.

Demi · Answer 5 · 2009-05-18T01:54:47+0000

Some come to mind ...

Authentication and authorization may be required depending on what is requested.
How to consider and use the data of query parameters. If the parameter data is used in any way other than the parameter set, and if it comes from an unreliable source, you might want to check the parameter values.
Warning about returning error codes. An attacker can use error codes to determine possible attack vectors by studying the topography of your site: what is returned if the resource does not exist or the parameters are bad, etc.

Mital kakaiya · Answer 6 · 2009-05-18T02:13:59+0000

You can use the HttpModule in asp.net, which could encrypt HTTP Get values globally - the HttpModule to encrypt the query string . Also, use SessionId as the key for encryption / description, which makes querystring more secure for each session. However, it is not 100% safe, and I would not recommend it for a site with a high degree of protection.

As suggested by "JD", it is better to use HTTPS to secure communication between the server and the client. However, the client can easily change the parameter value in the browser, for example, /showinvoice.aspx?id=1000 to / showinvoice.aspx? Id = 1001

I suggest checking every confirmation of each parameter value on the server side before page execution. This will terminate the request, which is invalid.

strubester · Answer 7 · 2009-05-20T01:56:07+0000

Use POST if you need extra security?

You must not pass on account information in the request.

Licky lindsay · Answer 8 · 2009-09-10T04:39:29+0000

My honest answer is that if the data is REALLY sensitive (for example, password or credit card number, etc.), then whoever encoded the “encryption” was probably trying to hide the lack of proper authentication / authorization in the application.

If you, for example, are worried that if you do not encrypt a part of the URL "accountId = 1", then someone can change it to "accountId = 2" and look at someone else’s account, and then the real mistake in the application is that he does not check the ownership of the account before delivery of the goods!

Trying to fix this lack of authorization checks using encryption is, at best, a bandit. Please note that sometimes bandids are needed - at this moment it may be too difficult to do something, but we still have to admit it as it is.

HTTP Security 'Get'

More articles: