Re: IIS log - GETs vs. POSTs

[RSnake <rsnake () shocking com>]

        You are exactly right... using POST has some minor benifits,
absolutely.  However, it should not be used as a method to protect data from
the customer, or as a method to stop users from hyjacking data in transit.
Yes, you are posting to a CGI script with a QUERY_STRING variable.  For data
that is longer than the RFC officially handles, yes, that is a valid reason to
use POST; as is arm-chair-surfing, which was previously mentioned.

        I was simply commenting on the fact that POST has nothing to do with
QUERY_STRING evntironmental variables.  Outside of data in transit, data that
has been subject to user interaction must be checked for validity, however that
is another topic outside of this thread.  I've seen more broken web
applications than I can count, however, again, this is outside of this
particular thread.  HTTP 1.0 can handle both POST and QUERY_STRING.

        I've done some research on this on high profile enterprise
environments, and generally I find that man in the middle attacks are the least
important of all attacks, from a practicality standpoint.  Far more important
are directory transversal, session attacks, brute force, or database attacks,
which actually allow you to assume access outside of your own.  But if we want
to stay on topic, yes, POST provides little real benefit.  I'd rather see data
in transit hashed, or otherwise encrypted using SSL, even though that will
really add very little real security per dollar spent compared to securing the
application itself.

On Sat, 30 Aug 2003, Lucas Holt wrote:

| Date: Sat, 30 Aug 2003 16:09:21 -0400
| From: Lucas Holt <luke () foolishgames com>
| To: RSnake <rsnake () shocking com>
| Cc: Jeremy Poteet <lists () appdefense com>,
|      WebAppSec <webappsec () securityfocus com>
| Subject: Re: IIS log - GETs vs. POSTs
|
| Bottom line, use POST when possible.  Also buy an SSL key for web
| applications.
|
| I'd like to comment on this example:
| <FORM METHOD="POST" ACTION="/cgi-bin/useradd.cgi?data">
|
| In this case, aren't you posting to a URL with a query string?  The
| official reason for using POST requests is for bodies that are larger
| than the common default accepted by user agents.  Query strings can
| only be so long.  Information hiding is a side benefit.
|
| I think people should realize that using POST does not make your
| application secure in any way.  You must check user input.  I could
| take lynx, hack the source, and add a feature to change hidden
| variables on forms, etc.  I've actually seen plugins to do that with
| Mozilla.  Programming web applications is far more serious than
| conventional apps.. because EVERYONE can access/attack them.  Its a lot
| like having a windows machine on the internet with no firewall or
| patches. :)
|
|
| Lucas Holt
| Luke () FoolishGames com
|

-R

The information in this email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to
this email by anyone else is unauthorized.  If you are not the
intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it is
expressly prohibited and may be unlawful.