Especially considering that I've been slowly transitioning to an Application Security role at work, security issues have been brought to the forefront.

I won't name names, but I was looking at a business site recently that required a (quite pricey) paid subscription. Their “security” was frightening.

When you logged in, they used an HTTP GET to submit the form. They also didn't encrypt either the login or the password and this was not done over SSL.

What does that mean? Not only were the login and password sent in clear text, both were sent in the URL! Anyone walking by can see your credentials in the browser address bar. And, of course, any logging (on the outgoing or incoming sides) or someone sniffing HTTP traffic now has your credentials.


blog comments powered by Disqus