Question

Good morning. I'm taking an exam later today on web development. Pretty confident with most of the exam, however looking over a past paper I came across this question:

b) A developer decides to use HTTP GET to send a user message for a message board system. Explain the potential security threats and discuss how to overcome them. Note you should consider two situations:

  1. HTTP GET must be used.
  2. HTTP GET could be changed. (15 marks)

I know about POST and GET, but I'm not sure I would be able to discuss it in enough detail to achieve 15 marks.

This is an attempt of me answering the question, if suggestions can be made in an attempt to direct me in the correct direction, that would be greatly appreciated:

GET is somewhat insecure, if the message was a private message the data is likely to be sensitive and therefore GET should not be used unless added security is included. GET will display the user message in the URL allowing anyone to view this, looking over your shoulder etc. Post by nature is slightly more secure, it does not show the message in the URL and instead adds it to the HTTP header, however this is only secure if the HTTP protocol is secure and encryption should be considered for all sensitive data.

If anyone could suggest what could be written in response to this question, it would be much appreciated!

Thanks

Was it helpful?

Solution

When you are talking about security there are several levels. Using GET or POST will most likely not be a live or dead type of choice, but its definitly usefull to make a distinction between the two.

As the name suggests, GET is ment to retrieve information and POST is used to send information. If you keep that in mind, it's not that hard to know what method to use.

In your case a user is POSTING a new message to a message board. So POST would be the right answer. The reason a POST is more secure for this, is that it always requires a specific action from the user or javascript. I cannot just send you a link via email and directly make you post a new message. If I would use GET I could send you a link like http://www.example.com/postmessage.php?message=post%20me and if you click it, you would post it.

Now if your message board is secured with a username password, and you are logged in, I have posted on your behalve with the GET request and nobody would know it wasnt realy you. So that is a potential security risk.

Now if I send you a mail with a link, you still need to click it. But consider I would be allowed to post images on that same message forum. I could post an image as myself like <img src='/postmessage.php?message=post%20me' width='0' height='0'/> and every user that visits my post would also post that message, since your/their browser tries to GET the image and I have again posted on your behalf.

Now if I could post javascript, I obviously could also make a POST request. But posting javascript is a lot less common.

Another side effect of GET request is that searchengines would also spider this and would potentially create messages aswell.

And last: A get request is limited. If you want to post a large message, you would need post. See What is the maximum possible length of a query string? for a lot of detail about the query string length. You would reach the maximum quickly with GET.

Now all these security issues cannot just be solved by using POST instead of GET and would require some more effort on the serverside code. But the first step is to use the proper method.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top