0

Query parameter in HTTP POST request

asked 2011-04-05 03:01:34 +0800

rickysee gravatar image rickysee
24

Hi all,

I have an application developed using ZK 3.6.2 on WebSphere application server 7. Using a tool called HTTPWatch I noticed that I can see query parameters for HTTP POST request being sent to the server.

https://myserver/onlineApp/zkau?dtid=gdh31&cmd.0=onChange&uuid.0=z_dh_g1&data.0=29&data.0=false&data.0=0&cmd.1=onChange&uuid.1=z_dh_o1& data.1=melissa&data.1=false&data.1=0&cmd.2=onChange&uuid.2=z_dh_02&data.2=mypassword& data.2=false&data.2=0&cmd.3=onOK&uuid.3=z_dh_02&data.3=13&data.3=false&data.3=false&data.3=false&data.3=z_dh_02

As you can see from the above URL (which is from a login.zul page), I can clearly see some of the values being sent over to the server. So is there a way to actually prevent the query string from being visible?

delete flag offensive retag edit

16 Replies

Sort by ยป oldest newest

answered 2011-04-05 06:58:53 +0800

caclark gravatar image caclark
1753 2 5
http://clarktrips.intltwi...

Where is HTTPWatch being run, in your browser or snooping from another machine?

link publish delete flag offensive edit

answered 2011-04-05 21:32:36 +0800

rickysee gravatar image rickysee
24

For my own testing, I'm running in my browser. But my security team said is a risk to use query string in HTTP POST so I try to find out is there any way to hide the query string.

link publish delete flag offensive edit

answered 2011-04-06 04:35:05 +0800

terrytornado gravatar image terrytornado flag of Germany
9393 3 7 16
http://www.oxitec.de/

Hmmmmm, is this the so called 'SQL Injection' ?

Why not call a well defined service/dao method in your backend? If you need to send dynamic 'where clauses' have a look on the 'Search' class from the hibernate-generic-dao framework. With it you can put your where clause in the Search object and read them back in your backend method.

best
Stephan

link publish delete flag offensive edit

answered 2011-04-06 05:11:42 +0800

rickysee gravatar image rickysee
24

The security issue here is not SQL Injection, we got that part covered. As you can see in the above URL, using query string we are actually exposing sensitive information (e.g. password, user name, account number, etc). It may be possible to steal these sensitive data using network sniffer.

link publish delete flag offensive edit

answered 2011-04-06 06:18:28 +0800

caclark gravatar image caclark
1753 2 5
http://clarktrips.intltwi...

Given that you URL is something like this: "https://myserver/...", what's the issue? You're running over SSL. I assume you can see it with HTTPWatch because it's inside the browser before it's encrypted and put on the wire.

link publish delete flag offensive edit

answered 2011-04-06 20:45:18 +0800

rickysee gravatar image rickysee
24

Thanks for reply caclark. Yes we are running over SSL but according to my security team, they said it is advisable to not use sensitive information in query string even if it is on SSL.

link publish delete flag offensive edit

answered 2011-04-07 01:24:31 +0800

Steva77 gravatar image Steva77 flag of Italy
1014 3
http://www.research.softe...

My two cents: from my JSP/Servlet experience, I remember parameters are explicitly passed by GET (with limited amount to 255 characters, if I am right), but not by POST, ewhich has no limits and is not explicit in the url...
What I am missing here is how you can read them.... is there a risk you are in a privileged position and you are trying to fix an issue that can not be raised for other external users?

link publish delete flag offensive edit

answered 2011-04-07 01:51:08 +0800

rickysee gravatar image rickysee
24

Hi Steva77, you are right that using typical browser an user cannot see the query parameters in POST request. But using tools like HTTPWatch or other network sniffer software I was able to see the URL as shown on the first post. The security risk I mention is to prevent hackers from obtaining sensitive information from the query string.

link publish delete flag offensive edit

answered 2011-04-07 02:24:25 +0800

cmlow gravatar image cmlow
3

Data contained in URL query string on a HTTPS connection is encrypted. However it is a very poor practice to send sensitive data such as password using the query string for security purposes. While it cannot be intercepted, the data could be logged in web server logs (e.g. access log).

link publish delete flag offensive edit

answered 2011-04-07 03:37:28 +0800

Steva77 gravatar image Steva77 flag of Italy
1014 3
http://www.research.softe...

updated 2011-04-07 03:37:34 +0800

Well, then I am not sure it is a ZK issue... I do think it relates to protocols.

link publish delete flag offensive edit
Your reply
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2011-04-05 03:01:34 +0800

Seen: 919 times

Last updated: Apr 07 '11

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More