发表新帖
发表新帖

Are security concerns sending a password using a GET request over https valid?

前端 未结
关注
5 700
萌比男神i
萌比男神i 2020-12-05 04:58

We have webpage which uses the sapui5-framework to build a spa. The communication between the browser and the server uses https. The interaction to log into the page is the

相关标签:
5条回答
  • [愿得一人]
    2020-12-05 05:30

    These two approaches are fundamentally different:

    • https://myusername:myPassword@myserver.com/foo/bar/metadata
    • https://myserver.com/?user=myUsername&pass=MyPasswort

    myusername:myPassword@ is the "User Information" (this form is actually deprecated in the latest URI RFC), whereas ?user=myUsername&pass=MyPasswort is part of the query.

    If you look at this example from RFC 3986:

         foo://example.com:8042/over/there?name=ferret#nose
     \_/   \______________/\_________/ \_________/ \__/
      |           |            |            |        |
   scheme     authority       path        query   fragment
      |   _____________________|__
     / \ /                        \
     urn:example:animal:ferret:nose

    myusername:myPassword@ is part of the authority. In practice, use HTTP (Basic) authentication headers will generally be used to convey this information. On the server side, headers are generally not logged (and if they are, whether the client entered them into their location bar or via an input dialog would make no difference). In general (although it's implementation dependent), browsers don't store it in the location bar, or at least they remove the password. It appears that Firefox keeps the userinfo in the browser history, while Chrome doesn't (and IE doesn't really support them without workaround)

    In contrast, ?user=myUsername&pass=MyPasswort is the query, a much more integral part of the URI, and it is send as the HTTP Request-URI. This will be in the browser's history and the server's logs. This will also be passed in the referrer.

    To put it simply, myusername:myPassword@ is clearly designed to convey information that is potentially sensitive, and browsers are generally designed to handle this appropriately, whereas browsers can't guess which part of which queries are sensitive and which are not: expect information leakage there.

    The referrer information will also generally not leak to third parties, since the Referer header coming from an HTTPS page is normally only sent with other request on HTTPS to the same host. (Of course, if you have used https://myserver.com/?user=myUsername&pass=MyPasswort, this will be in the logs of that same host, but you're not making it much worth since it stays on the same server logs.)

    This is specified in the HTTP specification (Section 15.1.3):

    Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

    Although it is just a "SHOULD NOT", Internet Explorer, Chrome and Firefox seem to implement it this way. Whether this applies to HTTPS requests from one host to another depends on the browser and its version.

    It is now possible to override this behaviour, as described in this question and this draft specification, using a <meta> header, but you wouldn't do that on a sensitive page that uses ?user=myUsername&pass=MyPasswort anyway.

    Note that the rest of HTTP specification (Section 15.1.3) is also relevant:

    Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead

    Using ?user=myUsername&pass=MyPasswort is exactly like using a GET based form and, while the Referer issue can be contained, the problems regarding logs and history remain.

    0 讨论(0)
  • 滥情空心
    2020-12-05 05:32

    The community has provided a broad view on the considerations, the above stands with respect to the question. However, GET requests may, in general, need authentication. As observed above, sending user name/password as part of the URL is never correct, however, that is typically not the way authentication information is usually handled. When a request for a resource is sent to the server, the server generally responds with a 401 and Authentication header in the response, against which the client sends an Authorization header with the authentication information (in the Basic scheme). Now, this second request from client can be a POST or a GET request, nothing prevents that. So, generally, it is not the request type but the mode of communicating the information is in question.

    Refer http://en.wikipedia.org/wiki/Basic_access_authentication

    0 讨论(0)
  • 时光说笑
    2020-12-05 05:33

    Consider this:

    https://www.example.com/login

    Javascript within login page:

    $.getJSON("/login?user=joeblow&pass=securepassword123");

    What would the referer be now?

    If you're concerned about security, an extra layer could be:

    var a = Base64.encode(user.':'.pass);
$.getJSON("/login?a="+a);

    Although not encrypted, at least the data is obscured from plain sight.

    0 讨论(0)
  • 南方客
    2020-12-05 05:38

    Sending any kind of sensitive data over GET is dangerous, even if it is HTTPS. These data might end up in log files at the server and will be included in the Referer header in links to or includes from other sides. They will also be saved in the history of the browser so an attacker might try to guess and verify the original contents of the link with an attack against the history.

    Apart from that you better ask that kind of questions at security.stackexchange.com.

    0 讨论(0)
  • 我寻月下人不归
    2020-12-05 05:38

    Let assume that user clicked a button and following request generated by client browser.

    https://www.site.com/?username=alice&password=b0b123!

    HTTPS

    First thing first. HTTPS is not related with this topic. Because using POST or GET does not matter from attacker perspective. Attackers can easily grab sensitive data from query string or directly POST request body when traffic is HTTP. Therefor it does not make any difference.

    Server Logs

    We know that Apache, Nginx or other services logging every single HTTP request into log file. Which means query string ( ?username=alice&password=b0b123! ) gonna be written into log files. This can be dangerous because of your system administrator can access this data too and grab all user credentials. Also another case could be happen when your application server compromise. I believe you are storing password as hashed. If you use powerful hashing algorithm like SHA256, your client's password will be more secure against hackers. But hackers can access log files directly get passwords as a plain-text with very basic shell scripts.

    Referer Information

    We assumed that client opened above link. When client browser get html content and try to parse it, it will see image tag. This images can be hosted at out of your domain ( postimage or similar services, or directly a domain that under the hacker's control ) . Browser make a HTTP request in order to get image. But current url is https://www.site.com/?username=alice&password=b0b123! which is going to be referer information!

    That means alice and her password will be passed to another domain and can be accessible directly from web logs. This is really important security issue.

    This topic reminds me to Session Fixation Vulnerabilities. Please read following OWASP article for almost same security flaw with sessions. ( https://www.owasp.org/index.php/Session_fixation ) It's worth to read it.

    0 讨论(0)
 看不清?
提交回复
热议问题