The GET method should never be used when sensitive data such as credit card is being sent to a CGI program. This is because any GET command will appear in the URL, and will be logged by any servers. For example, let’s say that you’ve entered your credit card information into a form that uses the GET method. The URL may appear like this:
https://www.xsecurity-bank.com/creditcard.asp?cardnumber=453453433532234
The GET method appends the credit card number to the URL. This means that anyone with access to a server log will be able to obtain this information. How would you protect from this type of attack?
A.
Never include sensitive information in a script
B.
Use HTTPS SSLv3 to send the data instead of plain HTTPS
C.
Replace the GET with POST method when sending data
D.
Encrypt the data before you send using GET method
are you kidding? POST instead of GET is a countermeasure?
You would use SSL for transmission of course.
The focus of the question is, what if a person can read the server logs? And for that scenario, POST is a viable countermeasure.