WebApp Sec mailing list archives
Re: When GET = POST?
From: Adrian Wiesmann <awiesmann () swordlord org>
Date: Sun, 10 Nov 2002 22:02:31 +0100
ASP offers both Request.Querystring & Request.Form which only deal exclusively with data from GET & POST operations respectively. For ASP when you observe GET variables being used where only POST'd variables should be applicable it will always come down to lazy (or at least uninformed) programmers as there *are* ways to avoid this problem.
It sounds very bad, but quite a few ASP developers I have seen did not know that there are several methods. It's not about speed or architecture, it's more about not knowing or that everybody around is not doing it properly. It is so much easier with the catch all function - which is also in multiple programming books... Anyway, to come back to your question. Do penetrate such a possible vulnerability, there are so many alike-vulnerable Web-Applications out there... Regards, Adrian
Current thread:
- When GET = POST? Chris Thomas (Nov 08)
- Re: When GET = POST? Alonso Robles (Nov 09)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
- Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
- Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Jason Healy (Nov 11)
- Re: When GET = POST? Kevin Spett (Nov 12)
- Re: When GET = POST? Daniel Hedrick (Nov 12)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- <Possible follow-ups>
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- Re: When GET = POST? Alonso Robles (Nov 09)