Input parameters are shown in response headers, which is vulnerable to security threats - have to avoid the same.

Question

Hi,

When the form is posted the input parameters are viwed in response headers, which is vulnerable to security threats. I dont want to show these input parameters in the response header. Example

POST /genaw/reports/adv/RelatedPartyEdit.jsp HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, / Referer: https://localhost:8002/genaw/reports/adv/RelatedPartyEdit.jsp Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: localhost:8002 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Cookie: JSESSIONIDmw=ll3bMpLCMPgJYW3XLpZ8LC4n41b8C14VglWlRyQzFhm7DP444nrs!-1676166811; _WL_AUTHCOOKIE_JSESSIONIDmw=kbyAU[zA14srFNxXskf5; JSESSIONIDaw=BQQcMpvBpzDHWNg8B2q22vMRyJWJ07n9lZT3hv7NLLlJXG4ZfvQC!1597653939; _WL_AUTHCOOKIE_JSESSIONIDaw=qD6ZP9yPcM4AGa]NdFxo; JSESSIONIDiw=1JjDMpybh00qK5hJpbBmXdwjWK34py7b57PZv5wp3ZCc9SCzpQ3z!1597653939

from=&cmd=changepwdaction&orgid=sant&nicknamefilter=&fullnamefilter=&rolefilter=&rpuniqueid=4817&parentRpuniqueid=102&idNum=102&org=sant&advisor=SAN165&nickname=596148956&password=&password2=&fullname=LOZOSEKSH&role=6&iwReportsAllow=2&iwReportsAllow=3&Submit=Update

I want to hide the parameter values given in bold, else my site can be accessed as localhost:8002/genaw/reports/adv/RelatedPartyEdit.jsp?from=&cmd=changepwdaction&orgid=sant&nicknamefilter=&fullnamefilter=&rolefilter=&rpuniqueid=4817&parentRpuniqueid=102&idNum=102&org=sant&advisor=SAN165&nickname=596148956&password=&password2=&fullname=LOZOSEKSH&role=6&iwReportsAllow=2&iwReportsAllow=3&Submit=Update

How to avoid request parameters in response headers to avoid security threats.

Answer 1

This doesn't look like an http problem to me. It also looks much more like Request headers than response headers. The name/value pairs in bold are just your form elements. If you need these values on the server then you have to either live with the fact they are being sent plain-text, switch to https so that the connection is encrypted or do some encryption of the values yourself. This is quite tricky though of course since any encryption will have to be javascript and thus fully visible to any malicious users.

If you don't need these values on the server then take them out of your form.