OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Blake Frantz (blake_at_mc.net)
Date: Wed Jul 10 2002 - 16:09:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I don't think anyone is suggesting that POST is secure by itself, but
    perhaps *more* secure than GET. Additionally, I don't think Bryan was
    talking about using hidden form values in the context of:

    <input type = "hidden" name = "password" value ="secret1">

    But instead to, as you've stated, store session keys, etc. Even then
    the argument can be made that this is still insecure provided your
    session keys are weak, or your not running SSL, etc. In short, the
    argument is being made as to which method is better from a security
    standpoint, not which method is the silver bullet for creating a secure
    web application.

    -Blake

     
     

    -----Original Message-----
    From: Anna Karuba [mailto:akarubaapexdigitalsystems.com]
    Sent: Wednesday, July 10, 2002 2:44 PM
    To: Bryan Ponnwitz; webappsecsecurityfocus.com
    Subject: RE: Best Practices for passing data via HTTP

    POST is not secure. A simple view source will reveal your hidden field
    values. Session variables might be your answer.

    -----Original Message-----
    From: Bryan Ponnwitz [mailto:bponnwitbtboces.org]
    Sent: Wednesday, July 10, 2002 3:04 PM
    To: webappsecsecurityfocus.com
    Subject: Re: Best Practices for passing data via HTTP

    Steven:
         I've found that the best way to pass data is using POST and hidden
    form data. If you use GET, the user is able to see the data that you
    application is passing, which is a security problem, and you're limited
    to so many bytes (I think it's 1024 bytes, but don't quote me on that
    one). I've written relatively large web apps before and experimented
    with using GET, POST and even cookies and I find that POST is the most
    flexible and secure.

    Bryan Ponnwitz
    Webmaster - Broome-Tioga Boces
    bponnwitbtboces.org
    (607) 763-3609

    >>> "Steven Fling" <SFLINGoppenheimerfunds.com> 07/10/02 02:36PM >>>
    Our application communicates across various application server
    environments via HTTP/HTTPS requests (versus RMI, etc.) and needs to
    pass data/parameters back and forth. Naturally we use SSL to encrypt
    the request/response.
     
    I wanted to see if there were any Best Practices established to transfer
    data in this fashion. POST vs. GET method, querystring vs. hidden form
    variable, etc.
     
    Any insight would be appreciated!
     
    ____________________________________
    Steve Fling
    Managing Architect - Web Development
    OppenheimerFunds, Inc.
    sflingoppenheimerfunds.com
    Office: 303.768.3200
    FAX: 303.768.1096
    http://www.oppenheimerfunds.com
    ____________________________________

    This electronic mail transmission may contain confidential information
    and is intended only for the person(s) named. Any use, copying or
    disclosure by any other person is strictly prohibited. If you have
    received this transmission in error, please notify the sender via
    e-mail.