Security risk using token in url

Security risk using token in url

by Dan Logan -
Number of replies: 3

Hi

I have created a webservice and I link it via zapier. My concern is the url in the post command sends the token in plain text in the url??

Isn't this a security issue??

Eg the url looks like below

http://xxxxxxx.xxx.xxx/webservice/rest/server.php?wstoken=dc9fec294755ee1b94f9xxxxx&moodlewsrestformat=json&wsfunction=core_user_create

Thank you

Average of ratings: -
In reply to Dan Logan

Re: Security risk using token in url

by Andreas Grabs -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Translators

Hi Dan,

i am not the security guy. But you shouldn't use "http" anymore. There is no reason for that.
If you allow this the login page is far more insecure than your Webservice.
If you use "https" with proper certificate validation your webservice url goes encrypted through the net.

best regards
Andreas

Average of ratings: -
In reply to Andreas Grabs

Re: Security risk using token in url

by Dan Logan -

Hi Andreas

Thank you for explaining it to me in plain english! I was concerned that sending the key it could be read, but if encryted then that makes sense. On my production server it is https, so the example I gave was my test one that is http so all good!

Regards

Dan


Average of ratings: -
In reply to Dan Logan

Re: Security risk using token in url

by Juan Leyva -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Hi,
could you change the way the request is done so instead passing the parameters as GET it uses POST? This will enforce security (apart from using https) so web servers (or analytics tools) does not log the access tokens.
Average of ratings: -