2

I have an API when trying to access it through a web application, I am making ajax get and post requests.

As I am new to this, I am wondering what the security concerns are with respect to the content type.

Right now I know of two content types I can POST the data as:

  • Base64enoded URL.

  • JSON

If I am passing the data as encoded URL, the data will appear in the query string.

Even if Base64encoded wouldn't it be a bad way of passing sensitive information?

I read several articles and most of them said JSON or URL encoded wouldn't matter much in terms of security.

What are the security breaches that I must be concerned with when looking at the content type used to pass data between the application and the API?

Zain Farooq
  • 2,956
  • 3
  • 20
  • 42
Abhilash Gopalakrishna
  • 910
  • 2
  • 22
  • 52
  • 1
    Is the data really in the URL or is it just URL-encoded base64-encoded data in the body of the POST request? – Patrick Roberts Jan 02 '19 at 04:27
  • 1
    Treat base64 encoding/decoding as pretty much plain text. And just because you're base64 decoding/encoding something doesn't mean you need to pass it via query string. You can still POST it, same as json. – Blue Jan 02 '19 at 04:27
  • 1
    Base64 encoded strings can be decoded easily, if you want to secure data, use some cryptography tool to encode data before transmitting. – Ayan_84 Jan 02 '19 at 04:30
  • @Patrick Roberts The content type is application/x-www-form-urlencoded, I checked with the browser Dev tools, and the encoded data appears in the url, my thought is, using a basic Base64 encoding ,wouldn't it be very easy to just decode the data from the url!!?:) – Abhilash Gopalakrishna Jan 02 '19 at 04:32
  • This appears to be an [X/Y Problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). What are you trying to achieve? What do you _need_ this for? – Blue Jan 02 '19 at 04:34
  • @FrankerZ Hi,This might be the X/Y type of question;I am learning php by decoding the code of an opensource application.Here they have used application/x-www-form-urlencoded to send data to an API.Since I am learning,my question is isnt this a security risk!! I read a few articles and everywhere it says;Sending as JSON or in query string doesnt affect security much,it is an entirely different thing!!So I have taken to stackoverflow hoping to be pointed in the right direction:) – Abhilash Gopalakrishna Jan 02 '19 at 04:42

1 Answers1

3

Base64Encode/Decode is not developed to encrypt or transfer data securely. Can use Base64 to transfer string contains special characters without interrupt the protocol or function as mentioned here

In your case, you should use SSL to make a secure & encrypted connection between server & client.

And also you can use the RSA Encryption method to encrypt your data, Before sending it. (SSL uses this algorithm)

When you come to API, There is another point (Sniffing Security). You should provide a security layer to protect your data from being modified in the middle way. You can use HMAC to verify the data.

These are very common security tips. You can find more by googling the following keywords. HMAC, Hash, RSA Encryption, SSL Certificate

BadPiggie
  • 5,471
  • 1
  • 14
  • 28