WebFinger: Change GET method to POST method to address vulnerability

[Ming Hui Foo]

Hi All:

Is there a proposal to convert the webfinger query from a GET to POST method to address the following vulnerability?

https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

The resource identifier used in the query string could be a mobile phone number, email address, IP address, etc, which are considered Personally Identifiable Information (PII).

[Paul E. Jones]

WebFinger requests are encrypted with TLS, so neither the headers nor payload are exposed. Further, there should be no sensitive information in the headers. While the subject of the request is present, some people preferred the subject to be a query parameter and some preferred it be a component of the URI path (as opposed to a parameter). So if there was a different approach taken, the subject would have still been a part of the URI path.

With respect to those various exposure vectors enumerated on that site about ways information is leaked, this is true of any RESTful API. What is considered potentially sensitive information is the content of the WebFinger reply, especially if that reply is from a system that requires additional authentication to access. The response contains a JSON Resource Descriptor (JRD) might contain email configuration information, for example, and is carried in the response payload.

--

---
You received this message because you are subscribed to the Google Groups "WebFinger" group.
To unsubscribe from this group and stop receiving emails from it, send an email to webfinger+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/webfinger/cffda5d6-b75f-45c0-87e2-50da5d722554n%40googlegroups.com.