tags:

views:

78

answers:

3
+4  Q: 

Security: Brute-forcing GET-requests by URL?

Hi everybody,

what should my concerns be if I we're about to make an application that handles logins the following way:

http://api.myApp.example/printSomething/username/password/

How insecure is it compared to a normal login page that are based on POSTed user details (username+password)? Is there a difference?

Thanks

+10  A: 

Simply don't do that. Use POST method instead of that. You should never allow sensitive info in URLs.

Sarfraz  2010-07-04 15:50:57
Bingo. They show up in logs, browser history, etc.
ceejayoz  2010-07-04 15:53:01
@ceejayoz: yup, that's true.
Sarfraz  2010-07-04 15:54:31
+1 for straight answer. No messing. Just 'don't do it' man!
zaf  2010-07-04 16:40:08
+2  A: 

Actually, it is not much of a difference, you just make it one step easier for an attacker to mess around.

BUT: URLs are very often kept in the browser history, logs, etc., that means anyone who has access to browser (or has access to the URL) would be able to see the username and the plaintext password.

Update:

With respect to the question's title and to clarify my answer:

Both GET and POST requests can be easily exploited for doing a brute force attack. With GET, you would make it easier for an attacker to do this manually but most often these are automatic attacks, i.e. an application performing these requests and hence the HTTP method used is totally irrelevant.

You can never prevent brut force attacks by choosing one HTTP method over the other.
You have to do such things on the server side, e.g. restricting the number of accesses per minute from one IP.

Felix Kling  2010-07-04 15:53:02
The HTTP request can (and should) be encrypted, so reading it can be much more difficult than getting the browser history (or looking over the user's shoulder).
Amnon  2010-07-04 16:08:38
@Amnon: While this is absolutely true, I was more focusing on the brute force aspect of this question. I have updated my answer to clarify that.
Felix Kling  2010-07-04 16:11:49
+9  A: 

The difference is that the password is visible in the address bar, and that any site that the user goes to from your site can see the user's password in the REFERER header.

Amnon  2010-07-04 15:53:16
Thats a very good, obvious reason :)
Industrial  2010-07-04 15:55:04
+1 for not so obvious reason ;)
zaf  2010-07-04 16:38:55
+1 for `The difference is that the password is visible in the address bar`. Those are clear words.
Sarfraz  2010-07-04 17:09:30
Not only that, but also in the browser history, which is a problem especially in publicly used computers.
Kim L  2010-07-07 06:48:09

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security