WebApp Sec mailing list archives
Re: IIS log - GETs vs. POSTs
From: RSnake <rsnake () shocking com>
Date: Sat, 30 Aug 2003 19:57:59 -0700 (PDT)
You are exactly right... using POST has some minor benifits, absolutely. However, it should not be used as a method to protect data from the customer, or as a method to stop users from hyjacking data in transit. Yes, you are posting to a CGI script with a QUERY_STRING variable. For data that is longer than the RFC officially handles, yes, that is a valid reason to use POST; as is arm-chair-surfing, which was previously mentioned. I was simply commenting on the fact that POST has nothing to do with QUERY_STRING evntironmental variables. Outside of data in transit, data that has been subject to user interaction must be checked for validity, however that is another topic outside of this thread. I've seen more broken web applications than I can count, however, again, this is outside of this particular thread. HTTP 1.0 can handle both POST and QUERY_STRING. I've done some research on this on high profile enterprise environments, and generally I find that man in the middle attacks are the least important of all attacks, from a practicality standpoint. Far more important are directory transversal, session attacks, brute force, or database attacks, which actually allow you to assume access outside of your own. But if we want to stay on topic, yes, POST provides little real benefit. I'd rather see data in transit hashed, or otherwise encrypted using SSL, even though that will really add very little real security per dollar spent compared to securing the application itself. On Sat, 30 Aug 2003, Lucas Holt wrote: | Date: Sat, 30 Aug 2003 16:09:21 -0400 | From: Lucas Holt <luke () foolishgames com> | To: RSnake <rsnake () shocking com> | Cc: Jeremy Poteet <lists () appdefense com>, | WebAppSec <webappsec () securityfocus com> | Subject: Re: IIS log - GETs vs. POSTs | | Bottom line, use POST when possible. Also buy an SSL key for web | applications. | | I'd like to comment on this example: | <FORM METHOD="POST" ACTION="/cgi-bin/useradd.cgi?data"> | | In this case, aren't you posting to a URL with a query string? The | official reason for using POST requests is for bodies that are larger | than the common default accepted by user agents. Query strings can | only be so long. Information hiding is a side benefit. | | I think people should realize that using POST does not make your | application secure in any way. You must check user input. I could | take lynx, hack the source, and add a feature to change hidden | variables on forms, etc. I've actually seen plugins to do that with | Mozilla. Programming web applications is far more serious than | conventional apps.. because EVERYONE can access/attack them. Its a lot | like having a windows machine on the internet with no firewall or | patches. :) | | | Lucas Holt | Luke () FoolishGames com | -R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Current thread:
- Fw: IIS log - GETs vs. POSTs Matt Fisher (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Lucas Holt (Aug 30)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 31)
- Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
- <Possible follow-ups>
- RE: IIS log - GETs vs. POSTs Calderon, Juan C (EM, DDEMESIS) (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs Guille -bisho- (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
- RE: IIS log - GETs vs. POSTs RSnake (Sep 01)