WebApp Sec mailing list archives
RE: IIS log - GETs vs. POSTs
From: RSnake <rsnake () shocking com>
Date: Mon, 1 Sep 2003 15:27:39 -0700 (PDT)
Agreed, however, if someone gets access to the critical system and can
read the system log files, you have to assume they can read any file the web
server has access to, including the ASP/CGI etc... many of which have sensitive
information in them, including username/passwords to databases. And if they
have read-access to the log files, they most likely have write access as well,
which means they can actually change dynamic webpages to leak sensitive
information over time or to store it somewhere for later viewing.
You are absolutely correct. Personally I use POST for forms, and
keep all sensitive information on the server referenced by session information
in a cookie or digest, and QUERY_STRINGs to point them to pages like
news.cgi?date=07012003 or something similar, which is better for accountability
(for us in webtrends or urchin, etc...) in some cases. Your milage may vary.
A side note, I was emailed by a gentleman who felt this particular
thread is off topic. If it is off topic, I believe the list is mis-named.
I personally believe that if it effects the security of a web application, it
belongs on this discussion, it doesn't just have to be about one particular
programming language, client, webserver or type of attack. However, it is the
moderator's decision, not his or mine, so, NOTE TO MODERATOR, please let me
know if you feel thread has been off topic.
On 2 Sep 2003, Guille -bisho- wrote:
| Date: 02 Sep 2003 00:07:19 +0200
| From: Guille -bisho- <bisho () onirica com>
| To: RSnake <rsnake () shocking com>
| Cc: "Calderon, Juan C (EM, DDEMESIS)" <Juan.Calderon () ge com>,
| Lucas Holt <luke () foolishgames com>, Jeremy Poteet <lists () appdefense com>,
| WebAppSec <webappsec () securityfocus com>
| Subject: RE: IIS log - GETs vs. POSTs
|
|
| Yes. On the net all the HTTP protocol goes encripted. SSL just provides
| a secure chanel for a normal HTTP request.
|
| But in the log files the GET params of https connections are logged, so
| if the server results compromised, that data is fully accesible, even
| backwards.
|
| > That is incorrect. Here is the transactional model:
| >
| > Client hello ->
| > <- Server hello
| > <- Server certificate
| > <- serverHelloDone
| > ClientKeyExchange E(Kserv, PK) ->
| > ChangeCipherSpec ->
| > FIN Handshake (MAC) ->
| > <- ChangeCipherSpec
| > <- FIN Hanshake (MAC)
| > Application_data HTTP request -> (GET /?data HTTP/1.0\n\n)
| > <- Application_data HTTP response (HTTP/1.1 200 OK\n...)
| > Alert : close_notify ->
| > <- Alert : close_notify
|
| --
| bisho! _ -=] 01/09/2003 [=-
| _ ^( ) _
| ( ( ) ) \ \___,,,
| ( ) / _____ >-
| ( :: ) >==-
| '. |::| , >==-
| \\::// [ PAZ SI, GUERRA NO ]
|
|
-R
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to
this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.
Current thread:
- Fw: IIS log - GETs vs. POSTs Matt Fisher (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Lucas Holt (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 31)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- <Possible follow-ups>
- RE: IIS log - GETs vs. POSTs Calderon, Juan C (EM, DDEMESIS) (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs Guille -bisho- (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)