WebApp Sec: Re: IIS log

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: IIS log

From: Alejandro Flores <alejandro.flores () ipad com br>
Date: 05 Aug 2003 17:25:08 -0300

        Hello Justin,

        The webserver doesn't know what is a Credit Card #. I guess the
webserver is logging the GET requests like:
someINFO someDATE GET
/something/apply.asp?ccNumber=123456789&cNumber=9871 ... ...
        Change your application to POST the requests.

Regards, 
Alejandro Flores



I just viewed an IIS log and I noticed that the credit card # is loogged.
I beleive that this is a major flaw to log credit card # is clear text.
Does anyone have any advice?


Regards,
Justin

By Date By Thread

Current thread:

IIS log Justin H Tran (Aug 05)
- Re: IIS log Alejandro Flores (Aug 05)
- Re: IIS log Randy (Aug 05)
- <Possible follow-ups>
- RE: IIS log Michael Howard (Aug 05)
  - RE: IIS log Richard M. Smith (Aug 05)
- Re: IIS log dotnetter (Aug 05)
- Re: IIS log jamesworld (Aug 05)