WebApp Sec mailing list archives

RE: When GET = POST?

From: Glyn Geoghegan <glyn.geoghegan () corsaire com>
Date: Thu, 14 Nov 2002 10:21:36 -0000

Jeff Dafoe wrote:

I'm going to buck the trend here, and say that from the

point of view

of the script processing the form data, I don't think it

matters that

much.


    I am glad someone else feels the way I do about this 
issue.  In the case of a web application, it's not important 
to the script which method was used to submit the data as 
long as proper validation and sanitization is performed.  All 
that you really need to know is that the data originated from 
an untrusted source and should be checked accordingly.  I 
could see where explicitly checking for POST could lull 
someone into a false sense of security.  Logging aside, 
POSTed data is no safer than data sent via GET, so there is 
no point in checking to see which method was used to submit the data.

Jeff

Hi,

It is worth noting that 'practical' CSS attacks often rely on a GET request
to a vulnerable site, including abuse of back-end processing of an expected
POST.  These are, for example, executed through a social-engineering
email/website with a customised link containing the CSS attack.  

AFAIK *this* form of CSS attack is only possible through a GET request, so
its worth designing the apps to receive over POSTS, and to enforce that.


----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------

Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000  Email:info () corsaire com

Current thread:

Re: When GET = POST?, (continued)
- - Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
  - Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
  - Re: When GET = POST? Jeff Dafoe (Nov 11)
    - Re: When GET = POST? Jason Healy (Nov 11)
  - Re: When GET = POST? Kevin Spett (Nov 12)
    - Re: When GET = POST? Daniel Hedrick (Nov 12)
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)