WebApp Sec mailing list archives
Re: When GET = POST?
From: Jason Healy <jhealy+webappsec () logn net>
Date: Mon, 11 Nov 2002 22:50:44 -0500
At 1037065312s since epoch (11/11/02 20:41:52 -0500 UTC), Jeff Dafoe wrote:
I am glad someone else feels the way I do about this issue. In the case of a web application, it's not important to the script which method was used to submit the data as long as proper validation and sanitization is performed.
Perhaps. While I'll admit it's anal-retentive to check the method, I usually do it for important things. Why? Because it adds that extra layer of protection. It's easy to check the method; why not use the functionality if it's available? Most browsers will warn about the dangers of resubmitting POST data; this can be helpful as additionally reinforcment for users (for example, when submitting a credit card order). Sure, the data aren't any safer, but maybe (just maybe) the *operations* on those data are. GET means GET; it's not supposed to perform irreversable operations. If you have a delete CGI like this: http://hackme.example.com/cgi-bin/deleteUser.pl?userId=jbogus And somebody sneaks that link into an image URL on an oft-visited bulletin board, then your app may perform a valid operation that the user didn't want. *your* app may be safe against XSS, but somebody else's might not be. Yes, you can sucker a user into performing a POST as well, but it's more difficult (need more HTML, and probably scripting to do it without the user noticing). Again, it's not the biggest deal in web programming, but I would consider it a best-practice kind of an issue. It's easy to check, so why not do it? Jason -- Jason Healy http://www.logn.net/
Current thread:
- Re: When GET = POST?, (continued)
- Re: When GET = POST? Alonso Robles (Nov 09)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
- Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
- Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Jason Healy (Nov 11)
- Re: When GET = POST? Kevin Spett (Nov 12)
- Re: When GET = POST? Daniel Hedrick (Nov 12)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- Re: When GET = POST? Alonso Robles (Nov 09)