WebApp Sec mailing list archives
RE: (clarification) GET and POST Methods Accepted
From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>
Date: Fri, 14 Oct 2005 07:35:41 -0400
The Struts servlet combines doPost and doGet like you describe, so anyone using Struts is doing this by default. ColdFusion works much like you describe ASP. So, yes, its common. The tendency of most web higher-level (ie., higher than the Servlet API) frameworks has been to make it possible for the developer to switch the HTML back and forth between GET and POST without having to change the code that accepts the form submission. This has convenience benefits, especially in teams where the HTML is written by an different person than the code. I think this is the first time I've seen a real discussion of the security implications of this common design choice, although its obvious that many have thought about it. Jeff Robertson Manager of Web Application Security Digital Insight
-----Original Message----- From: Joe Teff [mailto:joe () joeteff com] Sent: Friday, October 14, 2005 00:18 To: webappsec () securityfocus com Subject: RE: (clarification) GET and POST Methods Accepted I see shortcuts taken a lot. An example is using ASP where Request ("variablename") is used to retreive a value rather than Request.Form ("variablename") or Request.QueryString("variablename"). When using the abbreviated form, ASP checks the QueryString, then Form, then Cookies, then ClientCertificate, then ServerVariables. It's not uncommon in servlets to see a call to doPost from inside the doGet. Less common is when service is overridden instead of the doPost or doGet. JSP's almost always use request.getParameter without checking the request method. These are examples, not a definitive list of all languages, environments. Joe -----Original Message----- From: "Evans, Arian" <Arian.Evans () fishnetsecurity com> To: <webappsec () securityfocus com> Date: Thu, 13 Oct 2005 13:24:02 -0500 Subject: RE: (clarification) GET and POST Methods Accepted1) Are other people seeing that the applications they test accept GETs where they are intended/expecting to accept POSTs? 2) Are you seeing this more or less on specific platforms?
Current thread:
- RE: (clarification) GET and POST Methods Accepted Evans, Arian (Oct 13)
- RE: (clarification) GET and POST Methods Accepted Joe Teff (Oct 13)
- RE: (clarification) GET and POST Methods Accepted Amit Klein (AKsecurity) (Oct 14)
- RE: (clarification) GET and POST Methods Accepted Thomas Schreiber (Oct 14)
- <Possible follow-ups>
- RE: (clarification) GET and POST Methods Accepted Jeff Robertson (Oct 14)
- RE: (clarification) GET and POST Methods Accepted Amit Klein (AKsecurity) (Oct 14)
- Re: (clarification) GET and POST Methods Accepted Andrew van der Stock (Oct 14)
- RE: (clarification) GET and POST Methods Accepted Derick Anderson (Oct 14)
- Re: (clarification) GET and POST Methods Accepted Chris Shiflett (Oct 14)
- Re: (clarification) GET and POST Methods Accepted Greg Skouby (Oct 16)
- Re: (clarification) GET and POST Methods Accepted Chris Shiflett (Oct 14)