WebApp Sec mailing list archives
RE: IIS log
From: "Nelson, Ernie" <Ernie.Nelson () wizards com>
Date: Tue, 5 Aug 2003 15:35:15 -0700
As others have stated and I was reminded earlier today... IIS logs information that is placed in the query string via an http get. If a post is used then the information will not be logged. Generally it is best in e-commerce applications to do most of your work via posts since there is less in the users face to fiddle with. Also if you have to keep some cc info in your database...try to do real time auth and simply keep a hash of the users cc# or a first 4/last 4 span for auditing or reporting purposes. That way if your box is ever compromised you do not have a log or database full of cc#'s. It also helps when you do any web based functionality that requires the cc identity....you aren't passing out their actual, usable number.
Yes, this is a serious issue. Tell your web developers to get their
head
out of their a $ $ because they've coded a liability that could
destroy
the company!
Big time problem.
Copy a few lines of the log and past them into a response.
MAKE SURE YOU MODIFY THE CC NUMBERS!!!!!!!
Current thread:
- IIS log Justin H Tran (Aug 05)
- Re: IIS log Alejandro Flores (Aug 05)
- Re: IIS log Randy (Aug 05)
- <Possible follow-ups>
- RE: IIS log Michael Howard (Aug 05)
- RE: IIS log Richard M. Smith (Aug 05)
- Re: IIS log dotnetter (Aug 05)
- Re: IIS log jamesworld (Aug 05)
- RE: IIS log Nelson, Ernie (Aug 05)