WebApp Sec mailing list archives
RE: XSS, SQL injection etc - permutations of input strings
From: RSnake <rsnake () shocking com>
Date: Fri, 24 Sep 2004 18:04:41 -0700 (PDT)
I guess Siddhartha was right... if you sit by a river long enough
you'll see the same thing twice... This list has already talked about this
before. Include referrers to your list of security differences between GET and
POST: http://seclists.org/lists/webappsec/2003/Jul-Sep/0151.html
On Thu, 23 Sep 2004, Frank Knobbe wrote:
| Date: Thu, 23 Sep 2004 10:24:20 -0500
| From: Frank Knobbe <frank () knobbe us>
| To: webappsec () securityfocus com
| Subject: RE: XSS, SQL injection etc - permutations of input strings
|
| On Tue, 2004-09-21 at 09:58, Scovetta, Michael V wrote:
| > 1. The *only* difference between GET and POST is the "average" user
| > thinks that POST means the client can't see it. This is totally
| untrue.
| > If your site is secure, then it shouldn't matter whether it's GET or
| > POST. If it's not, then relying on POST to make it seem secure is
| > Security Through Obscurity (a Bad Thing(TM)).
|
| That's not the only difference. Another one is that of logging. Data
| posted in GET requests is typically logged to server log files and proxy
| log files while posted data using POST often is not.
|
| GET data has a tendency to "linger" in caches... your browsers URL cache
| but also proxy server caches. POST data is not (except within the same
| browser session in a POST cache, but it typically doesn't survive
| browser restarts).
|
| GET data is observed by shoulder surfing, while POST data is not. Lame
| point but a point nevertheless.
|
|
| Both posting mechanisms pass data in clear text, so they equal in
| security from the perspective of observing traffic flow. However, there
| are benefits using POST data which would rate the security of usage of
| POST a little bit higher than that of GET.
|
| Security is not a black-and-white thing. It's all shades of gray. I
| believe POST is just a little more on the light-gray scale than GET. The
| advantages of POST (logging/caching) should make it more "attractive" to
| use than GET.
|
| Cheers,
| Frank
|
|
-R
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to
this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.
Current thread:
- Re: XSS, SQL injection etc - permutations of input strings, (continued)
- Re: XSS, SQL injection etc - permutations of input strings focus (Sep 21)
- RE: XSS, SQL injection etc - permutations of input strings Scovetta, Michael V (Sep 22)
- RE: XSS, SQL injection etc - permutations of input strings Frank Knobbe (Sep 24)
- RE: XSS, SQL injection etc - permutations of input strings Mike Jordan (Sep 27)
- Hacking/security in main-stream media Mike Andrews (Sep 30)
- List of Movies with security emphasis (in reply to: Hacking/security in main-stream media) saphyr (Sep 30)
- Re: Hacking/security in main-stream media Andrew Sledge (Sep 30)
- Re: Hacking/security in main-stream media Jason Merriman (Sep 30)
- Re: Hacking/security in main-stream media Damon Leung (Sep 30)
- Re: Hacking/security in main-stream media Vlado Blaskov (Sep 30)
- RE: XSS, SQL injection etc - permutations of input strings Frank Knobbe (Sep 24)
- RE: XSS, SQL injection etc - permutations of input strings RSnake (Sep 28)
- RE: XSS, SQL injection etc - permutations of input strings Keith Roberts (Sep 27)
- Re: XSS, SQL injection etc - permutations of input strings James Barkley (Sep 30)