WebApp Sec mailing list archives

Re: When GET = POST?

From: Charles Miller <cmiller () pastiche org>
Date: Tue, 12 Nov 2002 07:28:44 +1100

Okay, so this is a pretty belated reply.

On Tuesday, November 5, 2002, at 09:54  PM, Chris Thomas wrote:

- Why does it happen? Is it just lazy coding or do languages like ASP
offer no way to differentiate if data was POSTed or GETed?

I'm going to buck the trend here, and say that from the point of viewof the script processing the form data, I don't think it matters thatmuch.

It matters _before_ the user sends the data. Whether you putmethod="POST" or method="GET" in your form tag matters, for all thereasons noted in other posts and some that haven't. (data lengthlimits, susceptibility to caching and logging (especially refererlogs), appearance in browser-history, effect of returning to the pagefrom the back button or browser history) My general rule is that if youwant someone to be able to bookmark a query or email it to someone elseyou use GET, otherwise you use POST.

After the form is submitted, however, it's just data. If someonesubverts a form so that the contents are sent by GET instead of POST orvice versa, it's not really a security problem for the server. It maybe a security risk for the user, but it's certainly not something auser can do by mistake. To the program that must interpret thesubmission, it's all still user-provided data.

The exception would be cross-site scripting. If your application may bevulnerable to XSS, POST is marginally more trustworthy than GET,because browsers are more likely to warn about a cross-site POST. Butonly marginally, you also have to assume users are likely to ignore thewarning and perform the dangerous POST regardless. If you are takingany other, more effective measures to combat XSS, the difference intrustworthiness between GET and POSTed data is largely erased.

There may also be a design-by-contract justification, using theform-handling scripts to verify that the HTML has been writtencorrectly. But that doesn't move the ultimate responsibility away fromthe HTML, it's just a useful verification of correctness.

I'm quite possibly wrong. Can someone model a threat based around thesubstitution of one kind of form submission for another, assuming thewebapp is already being vigilant against cross-site scripting?


Charles Miller

--
Contributing to the Heat Death of the Universe since 1975.
http://fishbowl.pastiche.org -- the weblog

Current thread:

When GET = POST? Chris Thomas (Nov 08)
- Re: When GET = POST? Alonso Robles (Nov 09)
  - Re: When GET = POST? Jonas Anden (Nov 10)
    - Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
  - Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
  - Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
  - Re: When GET = POST? Jeff Dafoe (Nov 11)
    - Re: When GET = POST? Jason Healy (Nov 11)
  - Re: When GET = POST? Kevin Spett (Nov 12)
    - Re: When GET = POST? Daniel Hedrick (Nov 12)
- <Possible follow-ups>
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)