what should my concerns be if I we're about to make an application that handles logins the following way:
http://api.myApp.example/printSomething/username/password/
How insecure is it compared to a normal login page that are based on POST开发者_JAVA技巧ed user details (username+password)? Is there a difference?
Thanks
Simply don't do that. Use POST method instead of that. You should never allow sensitive info in URLs.
The difference is that the password is visible in the address bar, and that any site that the user goes to from your site can see the user's password in the REFERER header.
Actually, it is not much of a difference, you just make it one step easier for an attacker to mess around.
BUT: URLs are very often kept in the browser history, logs, etc., that means anyone who has access to browser (or has access to the URL) would be able to see the username and the plaintext password.
Update:
With respect to the question's title and to clarify my answer:
Both GET and POST requests can be easily exploited for doing a brute force attack. With GET, you would make it easier for an attacker to do this manually but most often these are automatic attacks, i.e. an application performing these requests and hence the HTTP method used is totally irrelevant.
You can never prevent brut force attacks by choosing one HTTP method over the other.
You have to do such things on the server side, e.g. restricting the number of accesses per minute from one IP.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论