9
Awlex
1y

I have to add an endpoint to integrate an API and I want to vomit when I think about this major security issue they introduce.

What type of prehistoric dumbass thought GET requests with username and password in the query parameters is a good idea to burden your partner with.

Comments
  • 1
    To be fair the real security has to come from TLS anyway but yeah I'd disqualify that service immediately. Probably stores passwords as pain text too
  • 2
    @hjk101 TLS is fine , but still TLS doesn't protect you from the client and the web server logging the full request path to logs.

    Even if they had encrypted passwords, somewhere their Apache logs probably say

    [GET] /login?username=user&password=abc123.

    The frontend code may very well log this as well before it makes that request. Or backend code if using the API from a different service. Or hell, even the browser if someone puts this into the browser directly.

    Infact, OP should take care to not log this request, otherwise they are storing user names and passwords accidentally in logs in plaintext xD
  • 0
    @Hazarth I'm well aware about that unfortunately I've inherited a service that did this once. We disabled access to the CDN logs and wrote a custom log handler to hide the credentials. (During a grace period we needed to support this immediately deprecated mechanism)

    Where these kind of services originate there usually isn't any separation of privileges. So if you have access to the logs you have access to intercept headers and post content. Perhaps that views is outdated as just about anything uses some sort of http aware service in the middle. Even the crap generators
  • 0
    They can't even do HMAC? Jeez
Add Comment