0

I have a bit of a complicated scenario. I'll try to explain the problem, explain what I'm doing, and see if anyone else thinks this is feasible.

First off, we are PCI compliant. So, any solution I implement has to take compliance into consideration. Here is the scenario.

Our server is Server A. Server A is secure (https), PCI compliant, and hosts a web application. (Windows Server 2003, IIS 6)

Sever B is an external entity's web server. They have a website written in any flavor. This server is secure (https), but is not PCI compliant.

The client pulls down a page from Server B. There is a jquery plugin which hijacks the form on the page served by Server B. This causes the form to submit a jsonp http get request directly to server A. My assumption, correct or not, is that Server B never receives the post from the form even though the form is served to the client from Server B. This request contains sensitive (credit card) information in the query string. Again, assumption is that because the connection is https, this data is secure as part of the encrypted payload

So, Server A receives the request, and sends a response back to the client (accepted, declined, error, etc).

My questions are this: How can I be absolutely sure that Server A (my server) is not saving any of this data. I've already stripped off the query string from the logs, but is there anything else I need to turn off? Is the query string ever logged in the windows events? How about on the client machine? Is any of that data (the query string) going to be logged there? Also, how can I demonstrate (prove) to anyone (my boss) that the query string is part of the encrypted payload?

EDIT:

Clarification: Server A and Server B are not on the same domain. I have to make this http request work cross domain through an ajax call. I cannot use a proxy on server B.

Josh
  • 483
  • 2
  • 9
  • 19
  • 1
    Does the form absolutely need to be submitted by GET? javascript can submit via POST as well... – DerfK Jan 21 '11 at 15:09
  • javascript cannot perform an ajax post cross domain. I must use a get with jsonp to go cross domain. – Josh Jan 21 '11 at 15:40

1 Answers1

1

A packet trace would show that the query string is not submitted in plaintext (and with wireshark's SSL decryption capability, you could show that it IS submitted encrypted)

As for logging, on the client side the answer is a definite "maybe". For instance, someone could be behind a corporate proxy that substitutes its own SSL certificate (issued by a CA trusted on all the company computers) and logs all the queries, and is probably sending this query to HR so they can write up the person for wasting company time on it.

No idea if there are any other logs that the query may appear in on the server side. Depending on your application (is it JSP?) it may even have its own logs completely separate from IIS.

DerfK
  • 19,493
  • 2
  • 38
  • 54
  • My app is asp.net mvc 2.0 (Server A). Server B could be anything. – Josh Jan 21 '11 at 16:47
  • @Josh: Well, if we want to make up more scenarios, if your "hijacking" works by replacing the form submission action, a sufficiently malicious Server B could craft a page that could evade it and receive whatever data was entered on the form, for instance by duplicating all of the keystrokes in javascript to a hidden form field and using its own ajax request back to its own domain. – DerfK Jan 21 '11 at 17:42
  • Well, the owner of server B would not want the data on their server for fear of violating PCI and being fined by the credit card companies. – Josh Jan 21 '11 at 20:52