4

I'm building out a new services layer for an existing mobile application. The mobile application authenticates with the existing services layer by providing the user name and password as url params in a get request to the authentication end point. This all happens over ssl.

Initially I thought this was insecure, but this post seems to suggest it's not insecure at the transport layer SSL with GET and POST. The only concern is how the request is logged by the server. Given I'm writing the server side and can control logging, is this something I should worry about. Should I insist the app team change the client to send a post request to better secure the password, or is that unecessary?

Community
  • 1
AndrewSwerlick
  • 1,489
  • 2
  • 10
  • 7
  • 1
    Yes, insist to change the request to POST. Check this: http://stackoverflow.com/questions/26671599/are-security-concerns-sending-a-password-using-a-get-request-over-https-valid – Sacx Apr 24 '15 at 13:48
  • This is helpful, but alot of it is focused on issues with browser behavior. If you can pull out the pieces that are relevant to mobile applications and post as an answer I'd be happy to accept it. – AndrewSwerlick Apr 24 '15 at 14:04

1 Answers1

7

Yes, insist to change the request to POST.

The main issue here is the fact username and password will be saved in logs. As best practice no logs should contain sensitive information even if they are very secured.

This is clearly specified in rfc2616:

15.1.3 Encoding Sensitive Information in URI's

Because the source of a link might be private information or might reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information.

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead

Sacx
  • 684
  • 5
  • 12
  • Thank you this is very clear. I may even link the mobile team to it when I make the request. – AndrewSwerlick Apr 24 '15 at 14:27
  • 1
    @AndrewSwerlick You might want give them a link to [test OTG-AUTHN-001 of the OWASP testing guide](https://www.owasp.org/index.php/Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OTG-AUTHN-001)). As it seems obvious to me that there is some room for improvement security wise, they might want to read the guide completely. – Markus W Mahlberg Apr 25 '15 at 08:16