Monday, November 2, 2009

HTTPS Data Exposure - GET vs POST

Here is a quick chart showing the data exposure when considering GET vs POST and also HTTP vs HTTPS. The secure choice for transmission of any sensitive data is to use POST statements over SSL/TLS. Any other option will expose data at some point in the communication.



  • URL arguments refer to arguments in the URL for GET or POST (e.g. foo.com?arg1=something).
  • Body arguments refer to data communicated via POST paramaters in the HTTP request body.
This chart does not address client side caching of temporary files. Caching is a separate issue from the protocol selection and should be addressed with appropriate cache-control headers.
Reading: HTTPS Data Exposure - GET vs POSTTweet This!

Posted by Michael Coates on 11/02/2009
Labels:

2 comments:

Brian said...

Some web servers do support logging POST data, though it may require add-on modules. While enabling it could be space-prohibitive, some orgs may either choose to log a set amount of POST data or only do so for critical applications.

The chart also does not address logging by a WAF/IDS/etc. between an intermediary point of SSL termination and the web server.

November 3, 2009 8:07 AM
Michael Coates said...

Excellent point about POST logging. An organization that enables such a feature must be aware of the security implications. In addition, I see far to many applications configured to arbitrarily log all headers to a debug file. This means valid sessionIDs are captured and exposed to anyone with access to the log file.

Regarding WAF/IDS, I would basically lump those into the third category of "Webserver logs". That area was meant to address any devices after the SSL/TLS has terminated.

November 3, 2009 9:03 AM

Post a Comment

Subscribe to: Post Comments (Atom)