Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTTP 'Get' Security

Tags:

http

get

What are some HTTP 'Get' Security best practices?

When should HTTP Get querystring values be obscured?

Edit - The application I've inherited has all of the querystring parameters XOR 'encrypted'. It also passes things like AccountID in the querystring. So I'm wondering if these are good practices and how I would go about correcting these things if they aren't.

Edit -

One method I could use to solve this would be to create a base class (this is just pseudo code):


public mustinherit class QSBase

  public shared Unique as long = 0
  private m_ID as string

  public readonly property ID
    get
      return m_ID
    end get
  end property

  public sub new()
   m_ID = Unique 'somehow get a unique value for this querystring
   Unique += 1
  end sub

  public function IDQueryString() as string
    return "ID=" & m_ID
  end function

end class

Then for each page in application I would create a derived class with properties for each query string value.


public class QSPage1
  inherits QSBase

  private m_AccountID as string

  public readonly property AccountID as string
    get
      return m_AccountID
    end get
  end property

  public sub new(byval _AccountID as string)
    m_AccountID = _AccountID
  end sub

end class

Then when I pass the query string to popups or other pages I instance the relevant class, store it in the session and pass the unique id on the query string


Dim qs as new QSPage1("123456")
Session(qs.ID) = qs
Server.Transfer("Page1.aspx?" & qs.IDQueryString())
'or
CreatePopup("Page1.aspx?" & qs.IDQueryString())

Within the page I access the values by pulling the unique ID and referencing the stored session value:


AccountID = CType(Session(Request.QueryString("ID")), QSPage1).AccountID()

Of course that can be put into a function or a class in the page.

Some benefits of this approach are:

  • None of the query string is visible except an unrelated ID.
  • It's fairly easy to implement in already existing code.

Some of the drawbacks are that:

  • A long session could accumulate many of these querystring objects
  • The unique ID would need to be "truly unique" for that session

Can anyone think of any other benefits/drawback or a better way to do this (besides rewriting the application)?

Edit -

Thanks to all who say to use HTTPS and POST. Unfortunately, I'm looking for answers that have to do with using 'GET' only. (Unless you can explain how to post data to popups without using the QueryString, Session or Javascript? )

like image 336
user79755 Avatar asked Dec 06 '22 06:12

user79755


2 Answers

If you have anything worth obscuring then I would suggest going to HTTPS and dumping HTTP.

Typically I would not put anything related to customer, vendor or order identifiers in the query string. But that is me.

like image 57
Jeff Avatar answered Dec 09 '22 16:12

Jeff


I think you should never obscure GET parameters.

If you need to hide the parameters in the query String at the navigation bar, you should use post.

If you want to prevent sniffers to intercept you GET parameters data, use HTTPS.

like image 37
razenha Avatar answered Dec 09 '22 16:12

razenha