4

what should my concerns be if I we're about to make an application that handles logins the following way:

http://api.myApp.example/printSomething/username/password/

How insecure is it compared to a normal login page that are based on POSTed user details (username+password)? Is there a difference?

Thanks

Gumbo
  • 643,351
  • 109
  • 780
  • 844
Industrial
  • 41,400
  • 69
  • 194
  • 289
  • Is there a specific reason that you need to send it via GET rather than POST? – xil3 Jul 04 '10 at 15:52
  • possible duplicate of [Is it secure to pass login credentials as plain text in an HTTPS URL?](http://stackoverflow.com/questions/3150672/is-it-secure-to-pass-login-credentials-as-plain-text-in-an-https-url) – Piskvor left the building Jul 04 '10 at 16:00

3 Answers3

11

Simply don't do that. Use POST method instead of that. You should never allow sensitive info in URLs.

Sarfraz
  • 377,238
  • 77
  • 533
  • 578
10

The difference is that the password is visible in the address bar, and that any site that the user goes to from your site can see the user's password in the REFERER header.

Amnon
  • 7,652
  • 2
  • 26
  • 34
  • +1 for `The difference is that the password is visible in the address bar`. Those are clear words. – Sarfraz Jul 04 '10 at 17:09
  • 1
    Not only that, but also in the browser history, which is a problem especially in publicly used computers. – KCL Jul 07 '10 at 06:48
2

Actually, it is not much of a difference, you just make it one step easier for an attacker to mess around.

BUT: URLs are very often kept in the browser history, logs, etc., that means anyone who has access to browser (or has access to the URL) would be able to see the username and the plaintext password.

Update:

With respect to the question's title and to clarify my answer:

Both GET and POST requests can be easily exploited for doing a brute force attack. With GET, you would make it easier for an attacker to do this manually but most often these are automatic attacks, i.e. an application performing these requests and hence the HTTP method used is totally irrelevant.

You can never prevent brut force attacks by choosing one HTTP method over the other.
You have to do such things on the server side, e.g. restricting the number of accesses per minute from one IP.

Felix Kling
  • 795,719
  • 175
  • 1,089
  • 1,143
  • 1
    The HTTP request can (and should) be encrypted, so reading it can be much more difficult than getting the browser history (or looking over the user's shoulder). – Amnon Jul 04 '10 at 16:08
  • 1
    @Amnon: While this is absolutely true, I was more focusing on the brute force aspect of this question. I have updated my answer to clarify that. – Felix Kling Jul 04 '10 at 16:11