WebApp Sec mailing list archives
RE: When GET = POST?
From: Glyn Geoghegan <glyn.geoghegan () corsaire com>
Date: Thu, 14 Nov 2002 10:21:36 -0000
Jeff Dafoe wrote:
I'm going to buck the trend here, and say that from thepoint of viewof the script processing the form data, I don't think itmatters thatmuch.I am glad someone else feels the way I do about this issue. In the case of a web application, it's not important to the script which method was used to submit the data as long as proper validation and sanitization is performed. All that you really need to know is that the data originated from an untrusted source and should be checked accordingly. I could see where explicitly checking for POST could lull someone into a false sense of security. Logging aside, POSTed data is no safer than data sent via GET, so there is no point in checking to see which method was used to submit the data. Jeff
Hi, It is worth noting that 'practical' CSS attacks often rely on a GET request to a vulnerable site, including abuse of back-end processing of an expected POST. These are, for example, executed through a social-engineering email/website with a customised link containing the CSS attack. AFAIK *this* form of CSS attack is only possible through a GET request, so its worth designing the apps to receive over POSTS, and to enforce that. ---------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ---------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ---------------------------------------------------------------------- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:info () corsaire com
Current thread:
- Re: When GET = POST?, (continued)
- Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
- Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Jason Healy (Nov 11)
- Re: When GET = POST? Kevin Spett (Nov 12)
- Re: When GET = POST? Daniel Hedrick (Nov 12)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)