1

I have a very simple admin web page that simply displays feedback messages left by users of my mobile app. The messages are sent from the app to a web server, and to view the messages one needs to visit a particular URL and supply a (very long) query string parameter.

How safe is this?

It feels like it should be rather safe, at least for such a limited admin page. There are no password forms to enter the query string, and no public web pages that link to this URL, so nothing to draw the attention of a possible attacker.

What mostly worries me is that Google might pick up on the URL if I visit it in Chrome, and possibly start linking to it in one place or another. Not sure if they do such a thing (yet) though.

Magnus
  • 213
  • 1
  • 5

2 Answers2

1

If it is a query string, and I am assuming it is served over a non secure channel the url will be cached in browser history, intermediate caches and passed via refer parameters when navigating to other urls. It may be acceptable if it is purely to view feedback before you make it public. If it is more important I would put better controls in place.

Greg
  • 81
  • 2
  • If one avoids using a browser alltogether, and requests the page using something like cURL from a terminal, are there still any pitfalls? The web page is purely text, so it's totally doable. I should be sending a `HTTP 404 Not found` if the query string parameter is incorrect, right? – Magnus Oct 07 '17 at 21:31
  • Rather than implement in this way if it is sending the messages to an endpoint for you why not have your mobile app write these comments to a file you can access. E.g. using AWS with a lambda task and an Se bucket? If using only curl and never a browser that helps with the browser cache, however any intermediate caches would still have the url – Greg Oct 07 '17 at 21:36
1

At a security company where I worked, we considered secrets (e.g. credit card numbers or passwords) in URLs to be a risk. They may be cached in intermediary proxies, stored in log files (server-side, in proxies, and in browser history), sent to third parties (think Google Chrome), and are visible in most address bars. All of this gives such secrets more exposure than necessary, even when using https.

If you have a totally controlled environment, e.g. your personal admin page which only you yourself will visit, it might not be a big risk. Still, it's bad practice and I don't see why you'd expose yourself to the extra risk. If you don't want server state, a JWT would be an option, though that is also easily (and often) misused. It's best and easiest to just use a normal session with a session cookie.

Luc
  • 31,973
  • 8
  • 71
  • 135