0

a company I shall not mention wishes us to populate an iFrame with a URL which will contain user information. This information will be used to pre-populate the form in the iFrame. Is this a security risk as the details are viewable in the source. The details are first name surname, address, etc. The site is using SSL throughout...if that helps

Here's the URL:

https://moomooooo/dd.ehtml?user_id=5876745
&fname=vghfhfh
&lname=fhfghf
&title=MR
&gender=M
&dateOfBirth=03
&monthOfBirth=10
&yearOfBirth=1946
&housenum=233
&street=fghfhfghfg
&town=fhfghfgh
&postcode=S5g%207r4
&yearsAtAddress=07
&email=fghfg876jjfwdsdasd@gmail.com
&phone=447545555577540555721
Funky
  • 12,890
  • 35
  • 106
  • 161
  • Can you use POST instead of GET? Facebook uses POST to submit user details to iFrames. They have a HTML form in the outer page with target="iframename" which gets submitted with JavaScript on page load. – Reeno Nov 29 '13 at 14:34

2 Answers2

1

If you are using HTTPS, the URL parameters will be crypted too so theoretically no one will be able to see them. This said, you might better have to open an iframe with an url using an id or a token and let the iframe load it's proper content during it's initialisation, it is never good to store sensitive informations within an URL (that last one could be stored in the browser history)

Community
  • 1
  • 1
Flavien Volken
  • 19,196
  • 12
  • 100
  • 133
-1

This way of passing the parameters it's not a risk per se, but this allows an attacker to have way to many attack vectors to test.

The attacks that i would try would be Cross site scripting (executing JS code in the victim machine), Accessing other user information, SQL Injection, do SSL Strip and sniff the victims traffic getting this info, just to name a few.

My recommendation is that you either pass it within your SESSION somehow, populate those fields in a Database so you access them trough a hash, or at least passing it via POST.

Igarr
  • 166
  • 2
  • 12