PHP GET or POST security

Question

Good morning. I'm taking an exam later today on web development. Pretty confident with most of the exam, however looking over a past paper I came across this question:

b) A developer decides to use HTTP GET to send a user message for a message board system. Explain the potential security threats and discuss how to overcome them. Note you should consider two situations:

HTTP GET must be used.
HTTP GET could be changed. (15 marks)

I know about POST and GET, but I'm not sure I would be able to discuss it in enough detail to achieve 15 marks.

This is an attempt of me answering the question, if suggestions can be made in an attempt to direct me in the correct direction, that would be greatly appreciated:

GET is somewhat insecure, if the message was a private message the data is likely to be sensitive and therefore GET should not be used unless added security is included. GET will display the user message in the URL allowing anyone to view this, looking over your shoulder etc. Post by nature is slightly more secure, it does not show the message in the URL and instead adds it to the HTTP header, however this is only secure if the HTTP protocol is secure and encryption should be considered for all sensitive data.

If anyone could suggest what could be written in response to this question, it would be much appreciated!

Thanks

lets see your attempt...After all , that what exams are for... — Mitch Wheat, May 13 '13 at 07:47
@Sean_myers it would be nice to read your answer and then comment on it. — Ahmed Masud, May 13 '13 at 07:48
Read my answer, it explains what you asked for and remember there is not a big difference between security of POST/GET. It's rather matter of what you want to do either send(POST) or retrieve(GET) data. — Robert, May 13 '13 at 08:03
GET is somewhat insecure, if the message was a private message the data is likely to be sensitive and therefore GET should not be used unless added security is included. GET will display the user message in the URL allowing anyone to view this, looking over your shoulder etc. Post by nature is slightly more secure, it does not show the message in the URL and instead adds it to the HTTP header, however this is only secure if the HTTP protocol is secure and encryption should be considered for all sensitive data. — Sean_myers, May 13 '13 at 08:06
My problem is that I haven't really covered security threats in depth, or how to overcome them. Which is really the main section of the question... But then, I haven't really covered that this year hence the reason I ask the question here. Any help would be greatly appreciated! — Sean_myers, May 13 '13 at 08:07
@AhmedMasud I have attempted to answer the question, if you could give some feedback, that would be much appreciated. — Sean_myers, May 13 '13 at 08:17
But you shouldn't base your app's security on POST/GET. Because as I've written, POST also can be seen and it doesn't require much knowledge. Using POST/GET it is not about security it's about what you want to do, either retrieve page or you want to send some data to php script. — Robert, May 13 '13 at 08:17
@RobertPodwika Even though that is true, the question itself was taken straight from last years past paper in the subject, it's hard to know what to write for such a question if it were to come up again. — Sean_myers, May 13 '13 at 08:22

score 2 · Accepted Answer · edited May 23 '17 at 12:03

When you are talking about security there are several levels. Using GET or POST will most likely not be a live or dead type of choice, but its definitly usefull to make a distinction between the two.

As the name suggests, GET is ment to retrieve information and POST is used to send information. If you keep that in mind, it's not that hard to know what method to use.

In your case a user is POSTING a new message to a message board. So POST would be the right answer. The reason a POST is more secure for this, is that it always requires a specific action from the user or javascript. I cannot just send you a link via email and directly make you post a new message. If I would use GET I could send you a link like http://www.example.com/postmessage.php?message=post%20me and if you click it, you would post it.

Now if your message board is secured with a username password, and you are logged in, I have posted on your behalve with the GET request and nobody would know it wasnt realy you. So that is a potential security risk.

Now if I send you a mail with a link, you still need to click it. But consider I would be allowed to post images on that same message forum. I could post an image as myself like <img src='/postmessage.php?message=post%20me' width='0' height='0'/> and every user that visits my post would also post that message, since your/their browser tries to GET the image and I have again posted on your behalf.

Now if I could post javascript, I obviously could also make a POST request. But posting javascript is a lot less common.

Another side effect of GET request is that searchengines would also spider this and would potentially create messages aswell.

And last: A get request is limited. If you want to post a large message, you would need post. See What is the maximum possible length of a query string? for a lot of detail about the query string length. You would reach the maximum quickly with GET.

Now all these security issues cannot just be solved by using POST instead of GET and would require some more effort on the serverside code. But the first step is to use the proper method.

Thanks, it would appear I haven't really been taught any of this. I guess I may need to do a bit of reading now then... — Sean_myers, May 13 '13 at 08:34
Please explain whats wrong with the answer downvoter. I'd like to improve myself. — Hugo Delsing, May 13 '13 at 08:35
@HugoDelsing +1 for nice answer and hope it compensates the downvoter — Rupesh Patel, May 13 '13 at 08:47

PHP GET or POST security

1 Answers1