Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
what should my concerns be if I we’re about to make an application that handles logins the following way:
http://api.myApp.example/printSomething/username/password/
How insecure is it compared to a normal login page that are based on POSTed user details (username+password)? Is there a difference?
Thanks
Actually, it is not much of a difference, you just make it one step easier for an attacker to mess around.
BUT: URLs are very often kept in the browser history, logs, etc., that means anyone who has access to browser (or has access to the URL) would be able to see the username and the plaintext password.
Update:
With respect to the question’s title and to clarify my answer:
Both
GETandPOSTrequests can be easily exploited for doing a brute force attack. WithGET, you would make it easier for an attacker to do this manually but most often these are automatic attacks, i.e. an application performing these requests and hence the HTTP method used is totally irrelevant.You can never prevent brut force attacks by choosing one HTTP method over the other.
You have to do such things on the server side, e.g. restricting the number of accesses per minute from one IP.