WebApp Sec mailing list archives
Re: IIS log - GETs vs. POSTs
From: Lucas Holt <luke () foolishgames com>
Date: Sat, 30 Aug 2003 16:09:21 -0400
Bottom line, use POST when possible. Also buy an SSL key for web applications.
I'd like to comment on this example: <FORM METHOD="POST" ACTION="/cgi-bin/useradd.cgi?data">In this case, aren't you posting to a URL with a query string? The official reason for using POST requests is for bodies that are larger than the common default accepted by user agents. Query strings can only be so long. Information hiding is a side benefit.
I think people should realize that using POST does not make your application secure in any way. You must check user input. I could take lynx, hack the source, and add a feature to change hidden variables on forms, etc. I've actually seen plugins to do that with Mozilla. Programming web applications is far more serious than conventional apps.. because EVERYONE can access/attack them. Its a lot like having a windows machine on the internet with no firewall or patches. :)
Lucas Holt Luke () FoolishGames com
Current thread:
- Fw: IIS log - GETs vs. POSTs Matt Fisher (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Lucas Holt (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 31)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- <Possible follow-ups>
- RE: IIS log - GETs vs. POSTs Calderon, Juan C (EM, DDEMESIS) (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs Guille -bisho- (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)