Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things

Re: Need help figure out this Security vulnerability on this cgi code

by pemungkah (Priest)
on Apr 02, 2012 at 22:47 UTC ( #963135=note: print w/replies, xml ) Need Help??

in reply to Need help figure out this Security vulnerability on this cgi code

Any information which the user gives to you should be considered "sensitive". The warning is just trying to say, "If you send anything the way you're doing it now, it's very easy for someone to intercept and read it, because it's not encrypted."

The reason for both POST and SSL is as follows:

  1. If you use GET or PUT instead of POST, the data is in the URL, which means that it can be seen traversing the net. (Sniffers, man-in-the-middle attacks, compromised router logging the traffic passing through...). Using POST takes the data out of the URL.
  2. If you use SSL, then the content of the POST is flowing across an encrypted channel and is therefore much harder to intercept (someone with a faked cert could, for instance, but the trivial attacks listed above won't work.)
So you need both to guarantee (modulo very outside cases) that the data is secure.

As to whether the data is "sensitive" or not, it depends on the application, but a good rule of thumb is that any personally-identifiable data is sensitive. So ages, names, addresses, email addresses, IM handles, or anything that when taken together would let you identify someone.

  • Comment on Re: Need help figure out this Security vulnerability on this cgi code

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://963135]
[erix]: never too late to pull legs
[LanX]: Official YAPC Africa 2013 Announcement
erix always game to pull legs from sleeping cells
[erix]: hm nice might do a spot of diving - Red Sea is said to be beautiful
[LanX]: well too many terrorist tourists
[erix]: I guess I can pass for a native
[LanX]: talking about destruction of diving spots
[LanX]: Nodes to consider
[erix]: oops - got to run, see you later
[robby_dobby]: erix: 'appy day'ving

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (13)
As of 2017-04-24 16:17 GMT
Find Nodes?
    Voting Booth?
    I'm a fool:

    Results (442 votes). Check out past polls.