RE: XSS, SQL injection etc - permutations of input strings

["Shields, Larry" <Larry.Shields () FMR COM>]

 Yet, if you don't require it, it doesn't hurt.  Keep the name/value
pairs out of the browser history & web logs, if there's no real need to
have them there (and if it's not https, out of the proxy logs & referer
headers). Get rid of yet more possible sources of information
disclosure.

-Larry

-----Original Message-----
From: James Barkley [mailto:James.Barkley () noaa gov] 
Sent: Tuesday, September 28, 2004 1:06 AM
To: focus () karsites net; webappsec () securityfocus com
Subject: Re: XSS, SQL injection etc - permutations of input strings

*** PGP SIGNATURE VERIFICATION ***
*** Status:   Unknown Signature
*** Signer:   Unknown Key (0x6725FF31)
*** Signed:   9/28/2004 1:05:42 AM
*** Verified: 9/29/2004 2:30:41 PM
*** BEGIN PGP VERIFIED MESSAGE ***


Turning off GET requests may not buy you as much as you think.  Any
dedicated hacker who is going to be attempting xss or sql injection,
etc. probably knows how to save a page and tamper the post form vars.
Also, if you do regular log checks variable tampering through GET
requests is typically much easier to spot as the entire URL is logged
and you can see hacking attempts as part of the URL request.

*snip*