WebApp Sec mailing list archives
RE: When GET = POST?
From: "Tony Welsh" <lists () evolvedcode net>
Date: Sat, 9 Nov 2002 13:11:16 -0000
ASP offers both Request.Querystring & Request.Form which only deal
exclusively with data from GET & POST operations respectively. For ASP when
you observe GET variables being used where only POST'd variables should be
applicable it will always come down to lazy (or at least uninformed)
programmers as there *are* ways to avoid this problem.
The reason this problem comes about is that instead of querying just a
specific collection of variables from the Request object it's also possible
to query the entire Request object itself for a variable, so instead of
using Request.Querystring("Blah") I could use Request("Blah"). This is not
recommended because it queries the following collections from the request
object in the order;
.Querystring
.Form
.Cookies
.ClientCertificate
.ServerVariables
Aside from being much slower than a request against a single collection it
also allows you very little control over which collection it will return
data from other than the order in which they are queried e.g. if variable
"blah" is not found in the GET or POST data then potentially Request("Blah")
could end up returning that variable from a cookie, client certificate or
server variable!
Hope that helps...
Regards
Tony
-----Original Message-----
From: Chris Thomas [mailto:chris.thomas () lodoga co uk]
Sent: 05 November 2002 10:54
To: webappsec () securityfocus com
Subject: When GET = POST?
Hi,
This has been troubling me for a while.
When pen testing web apps where a page POSTs data it often seems just as
effective (and easier) to encode the data in the URL (i.e. use and HTTP
GET ). Is guess this is because many server-side languages do not
differentiate how a variable is set?
Whilst, from a pen test perspective, I can see there both positive and
negative aspects to doing this, I'd like to understand it a bit better
from the application designer's/ coder's viewpoint:
- Why does it happen? Is it just lazy coding or do languages like ASP
offer no way to differentiate if data was POSTed or GETed?
- How is this situation handled in common server side languages such
PHP, etc?
Chris
Current thread:
- When GET = POST? Chris Thomas (Nov 08)
- Re: When GET = POST? Alonso Robles (Nov 09)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
- Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
- Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Jason Healy (Nov 11)
- Re: When GET = POST? Kevin Spett (Nov 12)
- Re: When GET = POST? Daniel Hedrick (Nov 12)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- <Possible follow-ups>
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
(Thread continues...)
- Re: When GET = POST? Alonso Robles (Nov 09)