WebApp Sec mailing list archives
Re: When GET = POST?
From: Daniel Hedrick <daniel () hedrick org>
Date: Tue, 12 Nov 2002 12:28:49 -0600
Sayeth Kevin Spett on Tue, Nov 12, 2002 at 10:45:34AM -0500:
Consider a development team, where some developers check request methods before performing operations and some don't. If developers are inconsistent about method-checking, functionality could be broken, possibly in a way affecting security, by someone making a GET where it expected a POST. ie, data is only sanitized on POSTs, becuase one person wrote or modified that code, but the application will accept and process a GET, because someone else wrote that. Of course, the bottom line here is making your code consistent and able to handle both situations, but it's something to think about here.
In my mind, this is not a bug in the code, but rather a failure to properly communicate programming standards (no matter how strict or relaxed) to your team. -dlh
Current thread:
- Re: When GET = POST?, (continued)
- Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
- Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
- Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Jason Healy (Nov 11)
- Re: When GET = POST? Kevin Spett (Nov 12)
- Re: When GET = POST? Daniel Hedrick (Nov 12)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)