WebApp Sec mailing list archives
When GET = POST?
From: "Chris Thomas" <chris.thomas () lodoga co uk>
Date: Tue, 5 Nov 2002 10:54:13 -0000
Hi, This has been troubling me for a while. When pen testing web apps where a page POSTs data it often seems just as effective (and easier) to encode the data in the URL (i.e. use and HTTP GET ). Is guess this is because many server-side languages do not differentiate how a variable is set? Whilst, from a pen test perspective, I can see there both positive and negative aspects to doing this, I'd like to understand it a bit better from the application designer's/ coder's viewpoint: - Why does it happen? Is it just lazy coding or do languages like ASP offer no way to differentiate if data was POSTed or GETed? - How is this situation handled in common server side languages such PHP, etc? Chris
Current thread:
- When GET = POST? Chris Thomas (Nov 08)
- Re: When GET = POST? Alonso Robles (Nov 09)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
- Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
- Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
(Thread continues...)
- Re: When GET = POST? Alonso Robles (Nov 09)