WebApp Sec mailing list archives
RE: GET and POST Methods Accepted
From: "Joe Teff" <joe () joeteff com>
Date: Thu, 13 Oct 2005 22:19:42 -0500
I'll refer back to my original response.
GET parameters are cached in the browser and logged on the server (I'm assuming SSL here). This can lead to replay attempts and data exposure.
These are problems that POST does not have.
If your site expects POST requests, then a GET request can respresent an attack (someone is trying values in the address line or maybe scripted).
This is a Detective measure rather than a Preventative measure. I'll include another potential exposure by having sensative data in URLs. If there are any embedded http links in a page, then the URL (including paramters) are inserted into the HTTP Referer. Lets say you use an HTTP site for caching graphics. All requests for those graphics will include the URL of the page. Joe -----Original Message----- From: "christopher baus" <christopher () baus net> To: webappsec () securityfocus com Date: Thu, 13 Oct 2005 18:04:22 -0000 (GMT) Subject: RE: GET and POST Methods Accepted
Anyway I share this only because the original post seemed to focus on GET vs. POST more than XSS. I restrict GET as much as possible insitedevelopment because it can expose the inner workings of the site and secure methodology or not, we all miss something from time to time.I don't understand this philosophy. If you forget what is visible in the web browser and look at what is put on the wire, which is trivially viewed with packages like ethereal, the only difference between GET and POST requests is that the parameters for GET requests are on the request line and parameters for POST requests are in the body. To me the security implications are practically identical.
Current thread:
- Re: GET and POST Methods Accepted, (continued)
- Re: GET and POST Methods Accepted Damien Watson (Oct 13)
- Re: GET and POST Methods Accepted Serg Belokamen (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted Amit Klein (AKsecurity) (Oct 13)
- Re: GET and POST Methods Accepted John GALLET (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted John GALLET (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted Paul Laudanski (Oct 18)
- RE: GET and POST Methods Accepted Derick Anderson (Oct 13)
- RE: GET and POST Methods Accepted christopher baus (Oct 13)
- RE: GET and POST Methods Accepted Joe Teff (Oct 13)
- RE: GET and POST Methods Accepted christopher baus (Oct 13)
- RE: GET and POST Methods Accepted Derick Anderson (Oct 14)