WebApp Sec mailing list archives

Re: When GET = POST?

From: Alonso Robles <kha0z () earthlink net>
Date: Sat, 9 Nov 2002 02:38:15 -0800

Comments inline...

On Tuesday, November 5, 2002, at 02:54  AM, Chris Thomas wrote:

Hi,

This has been troubling me for  a while.

When pen testing web apps where a page POSTs data it often seems just as
effective (and easier) to encode the data in the URL (i.e. use and HTTP
GET ). Is guess this is because many server-side languages do not
differentiate how a variable is set?

Yes they do. While the retrieval mechanism can make the differentiationcompletely transparent for the web application developer, it is alwaysgood practice to call the expected variable from the header that isexpected.


Whilst, from a pen test perspective,  I can see there both positive and
negative aspects to doing this, I'd like to understand it a bit better
from the application designer's/ coder's viewpoint:

There are two reasons to consider using POST vs GET methods that come tomind from a developer perspective.

1. Obfuscation: POST hides the variables from the URL that can beeasily seen in any web browser. This makes any possible attacker have towork harder to check what variables and data types are passed in a postform.

2. Amount of data and non-text data types: You can not pass binarydata in the query string of a URL. Additionally, the HTTP RFCs limit theamount of data that can be passed in a GET header significantly to thatin a POST header.

- Why does it happen? Is it just lazy coding or do languages like ASP
offer no way to differentiate if data was POSTed or GETed?


It is lazy coding and not secure.

- How is this situation handled in common server side languages such
PHP, etc?

Turn globals off!!! That is a major security issue anyway. You can referto a POST variable in PHP by using the $_POST array to access the data.For example, if you are expecting a value for a variable you named"article" you can reference that data by using $_POST['article']. If youare expecting it in a GET header you can do it the same by referencing$_GET['article'].


Chris

Current thread:

When GET = POST? Chris Thomas (Nov 08)
- Re: When GET = POST? Alonso Robles (Nov 09)
  - Re: When GET = POST? Jonas Anden (Nov 10)
    - Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
  - Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
  - Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
  - Re: When GET = POST? Jeff Dafoe (Nov 11)
    - Re: When GET = POST? Jason Healy (Nov 11)

(Thread continues...)