WebApp Sec mailing list archives

Re: When GET = POST?

From: Daniel Hedrick <daniel () hedrick org>
Date: Tue, 12 Nov 2002 12:28:49 -0600

Sayeth Kevin Spett on Tue, Nov 12, 2002 at 10:45:34AM -0500:

Consider a development team, where some developers check request methods
before performing operations and some don't.  If developers are inconsistent
about method-checking, functionality could be broken, possibly in a way
affecting security, by someone making a GET where it expected a POST. ie,
data is only sanitized on POSTs, becuase one person wrote or modified that
code, but the application will accept and process a GET, because someone
else wrote that.  Of course, the bottom line here is making your code
consistent and able to handle both situations, but it's something to think
about here.


In my mind, this is not a bug in the code, but rather a failure
to properly communicate programming standards (no matter how
strict or relaxed) to your team.

-dlh

Current thread:

Re: When GET = POST?, (continued)
- - - Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
  - Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
  - Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
  - Re: When GET = POST? Jeff Dafoe (Nov 11)
    - Re: When GET = POST? Jason Healy (Nov 11)
  - Re: When GET = POST? Kevin Spett (Nov 12)
    - Re: When GET = POST? Daniel Hedrick (Nov 12)
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)