RE: GET and POST Methods Accepted

["Derick Anderson" <danderson () vikus com>]

> -----Original Message-----
> From: christopher baus [mailto:christopher () baus net] 
> Sent: Thursday, October 13, 2005 2:04 PM
> To: webappsec () securityfocus com
> Subject: RE: GET and POST Methods Accepted
>
> > Anyway I share this only because the original post seemed 
> to focus on 
> > GET vs. POST more than XSS. I restrict GET as much as 
> possible in site 
> > development because it can expose the inner workings of the 
> site and 
> > secure methodology or not, we all miss something from time to time.
>
> I don't understand this philosophy.  If you forget what is 
> visible in the web browser and look at what is put on the 
> wire, which is trivially viewed with packages like ethereal, 
> the only difference between GET and POST requests is that the 
> parameters for GET requests are on the request line and 
> parameters for POST requests are in the body.  To me the 
> security implications are practically identical.

I think you are neglecting the human element a bit: if I hadn't seen the
URL string I wouldn't have thought to try cracking it. Sure, a
determined hacker/pentester will use ethereal to see what's going on,
but your average bored university student won't think to do it during
class. If I go to a site and I see
"site/page.asp?id=something&token=something" I get a lot more curious
than just seeing "site/page.asp".

Having said that I agree with you from a technical standpoint: what goes
over the wire goes over the wire, and cookie, post, or get, it doesn't
make a difference. But imagine now that the site is encrypted over SSL
(which in my case, it was) and it becomes less trivial.

Derick Anderson