將密碼作為 HTTP GET 請求的一部分進行提交時,可能會造成密碼被顯示、記錄或存儲在緩存中。
按照慣例,通常不會將與 HTTP GET 請求有關的參數視為敏感數據,因此 web 服務器會記錄這些數據,并將其存儲在代理緩存中,同時,web 瀏覽器也不會刻意隱藏這些數據。作為 HTTP GET 請求的一部分傳送密碼或其他敏感數據,可能會引起數據的誤用,且有可能會被攻擊者獲取。
例 1:在以下示例中,通過 HTTP GET 請求提交新的用戶密碼。
<form method="get">
Name of new user:<input type="text" name="username">
Password for new user:<input type="password" name="user_passwd">
<input type="submit" name="action" value="Create User">
</form>
method 屬性的默認值為 GET,因此忽略該屬性會引發相同后果。
[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I
[5] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 359
[7] W3Schools HTML form method attribute
[8] W3Schools HTML5 input formmethod attribute
[9] Standards Mapping - FIPS200 - (FISMA) IA
[10] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.4, Requirement 6.5.8, Requirement 8.4
[14] Writing Secure Web Applications Advosys Consulting