WebApp Sec mailing list archives

Re: When GET = POST?

From: Vincent Janelle <random () goblinstudios com>
Date: Sun, 10 Nov 2002 13:49:31 -0800

Jonas Anden wrote:

There are two reasons to consider using POST vs GET methods that come tomind from a developer perspective.
1. Obfuscation: POST hides the variables from the URL that can beeasily seen in any web browser. This makes any possible attacker have towork harder to check what variables and data types are passed in a postform.
2. Amount of data and non-text data types: You can not pass binarydata in the query string of a URL. Additionally, the HTTP RFCs limit theamount of data that can be passed in a GET header significantly to thatin a POST header.
Actually, I consider the biggest reason for using POST instead of GET is
that since GET requests are part of the URL, they are generally logged.
Consider the case where you pass sensitive data such as credit card
numbers through a GET request. Doesn't matter how well you encrypt your
database or your session, the credit card numbers still appear in clear
text in the web server logs.

 // J

The reason is that most browsers/webservers have a limit on the size ofa get request. Most people weren't worried about sending credit cardinformation over the net way back in the day :\

Current thread:

When GET = POST? Chris Thomas (Nov 08)
- Re: When GET = POST? Alonso Robles (Nov 09)
  - Re: When GET = POST? Jonas Anden (Nov 10)
    - Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
  - Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
  - Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
  - Re: When GET = POST? Jeff Dafoe (Nov 11)
    - Re: When GET = POST? Jason Healy (Nov 11)
  - Re: When GET = POST? Kevin Spett (Nov 12)
    - Re: When GET = POST? Daniel Hedrick (Nov 12)

(Thread continues...)