Re: When GET = POST?

[Jason Healy <jhealy+webappsec () logn net>]

At 1037065312s since epoch (11/11/02 20:41:52 -0500 UTC), Jeff Dafoe wrote:
>     I am glad someone else feels the way I do about this issue.  In the case
> of a web application, it's not important to the script which method was used
> to submit the data as long as proper validation and sanitization is
> performed.

Perhaps.  While I'll admit it's anal-retentive to check the method, I
usually do it for important things.  Why?  Because it adds that extra
layer of protection.  It's easy to check the method; why not use the
functionality if it's available?

Most browsers will warn about the dangers of resubmitting POST data;
this can be helpful as additionally reinforcment for users (for
example, when submitting a credit card order).  Sure, the data aren't
any safer, but maybe (just maybe) the *operations* on those data are.

GET means GET; it's not supposed to perform irreversable operations.
If you have a delete CGI like this:

http://hackme.example.com/cgi-bin/deleteUser.pl?userId=jbogus

And somebody sneaks that link into an image URL on an oft-visited
bulletin board, then your app may perform a valid operation that the
user didn't want.  *your* app may be safe against XSS, but somebody
else's might not be.

Yes, you can sucker a user into performing a POST as well, but it's
more difficult (need more HTML, and probably scripting to do it
without the user noticing).

Again, it's not the biggest deal in web programming, but I would
consider it a best-practice kind of an issue.  It's easy to check, so
why not do it?

Jason

-- 
Jason Healy
http://www.logn.net/