Is there security difference between using URL parameters and request body?

Question

I would like to verify if there are any vulnerabilities differences between sending data through parameters (for example: www.website.com?name=example compared to sending data using request body (for example using JSON: {name: example}). I know that sending data using URL parameters has security issues when done through the browser, but in my case, I am interested in the data being sent automatically from one system to another - without any browser and human interaction.

Answer 1

Most of the difference between sending data in the url vs a request header/body is around things getting logged (another bunch of issues would be around things getting cached/stored in the browser, but that's not an issue for you).

So the most apparent problem with a URL is that any intermediate proxy (including load balancers, wafs, who knows whats) will log URL parameters, and so will the target server in most cases. An attacker might gain access to such logs, revealing potentially sensitive info. This may not only be external attackers, think of people involved in operations, but not actual users of the application - this sometimes counts a lot. Also logs will be copied to backups and so on. Therefore the best practice is not to send sensitive info in URLs in general.

Having said that, I can possibly imagine scenarios and compensating controls that would make sending sensitive info in the URL acceptable in a specific case, but you should think carefully about your threat model. Not using the browser as a client is a good start, but far from enough.