HTTP GET & POST
HTTP is Hyper Text Transfer Protocol and in it we come across two types of requests. One is the HTTP GET request and the other is HTTP POST request. If you are a web developer or if you have a decent amount of knowledge of the domain. Then you probably use it or at least know it. And it is important for any developer who doesn't know the differences of it or the consequences that may rise due to uneducated use of it in particularly related to security.
What is HTTP GET & POST?
To put it in the most simplest way , They both are basically means in which information could be relayed from the client ( most of the time the browser ) to the server. The difference is the in POST requests these information are embedded in the body of the request while in case of GET these information are relayed in the URL of the request, the data encoded and appended in the "action?" in the URL as query parameters. The method in which the data are submitted could be specified in the method="POST" or method="GET" in the <form> element.Differences in Form Submission
As explained earlier GET and POST are two types of data submission specified in HTTP. But they both are done in the same way first the browser will take the data to be submitted and form a data set.
Then the data will be encoded in the way in which it is specified in the enctype. For METHOD="POST the enctype attribute can be multipart/form-data or application/x-www-form-urlencoded, whereas for METHOD="GET", only application/x-www-form-urlencoded is allowed. This form data set is then transmitted to the server.
In the GET requests the browser appends the encoded dataset into the URL after "action?" . Browser process this link and identifies the host and send a GET request to it with the rest of the information as query parameters. Then the server handles the rest.
Security Concerns
The security concerns will be explained using a practical example given in the http://www.securityinternal.com/2017/02/http-get-vs-post-in-html-forms-security.html. By referring to it you may be bit more enlightened about the subject in the practical sense. In it a simple HTML page is formed with a form submission as given below.
It is clear that in the code that <form> element is there and it uses the method="GET" as shown below.
As explained earlier earlier the GET request transmit data through the link and it is implied here in a place where sensitive data such as "Username" and more importantly "Password" are present. Let's see what happens once we went through the process.
As explained earlier earlier the GET request transmit data through the link and it is implied here in a place where sensitive data such as "Username" and more importantly "Password" are present. Let's see what happens once we went through the process.
As you can see the sensitive data that we entered are out in the plain view, and they will be stored in the log of the server and the admins of it may be able to observe it as shown by the original author in his apache log files.
Recommended Usage
In the security perspective the use of POST requests are always recommended. And if the form deals with sensitive information it is a absolute must. As shown in the above scenario, the whole situation could be altered if the method POST was used instead of GET. Then even though it is possible to get those data by intercepting the network traffic or by launching a Man-In-The-Middle attack it is much more difficult to do than observing log files.
Comments
Post a Comment