Is it safe to use e-mail addresses inside URLs?
I mean lets say a web-application has a registered user "Bob" and Bob has been registered by using his email => [email protected]. Now what's your opinion, is it safe for the application to accept and work with GET requests on //application.com/[email protected] and the same kind of URLs for every user?
Email addresses inside URL
23.8k views Asked by Kostas At
4
There are 4 answers
2
On
In this case, the email address can be used with request parameter as GET Method, e.g:
// application.com/[email protected]
This option is more safety and probably used.
1
On
I think that this is not a good idea. Firstly, email contains special chars that needs to be URL encoded so they don't get mixed up with system characters (for example, for FTP servers you can pass username like this ftp://user:[email protected]).
Also, I would not like it from user perspective as in this case my e-mail would stay in browsers history.
0
On
One more disadvantage of using email addresses in GET request URLs is that such requests tend to be considered suspicious by security tooling.
For example, we see that Web Application Firewall in Azure Application Gateway blocks many such requests:
{
operationName: "ApplicationGatewayFirewall",
category: "ApplicationGatewayFirewallLog",
properties: {
requestUri: "/api/users/getuserbyemail/[email protected]",
ruleSetType: "OWASP_CRS",
ruleSetVersion: "3.0.0",
ruleId: "920440",
message: "URL file extension is restricted by policy",
action: "Matched",
details: {
message:
'Warning. String match within ".asa/ .asax/ .ascx/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. ',
data: ".com",
file: "rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
line: "1056",
},
policyId: "default",
// ...
}
}
Basically it depends on if you love or hate your users. When you do what you suggest, these URLs will spread on HTML pages on the web. Not necessarily confined to your own site, because people may link to it.
When your page gains enough traction to become important, crawler authors for spam bots will notice and add rules to their crawlers to extract the email address from URLs. It might even not be necessary, because some dumb regexes might already find the email without adaption.
Then, your users' email addresses will land on spammers' lists and get "unwanted adverts", euphemistically speaking. (These email lists will be rather high-valued, too, because they are "verified" to be real, existing ones.)
What you're doing here is giving away a private bit of identification your users trusted you with. Never ever allow that to be in public, unless your users told you so!
From a technical perspective, you can just go for it.