RE: GET and POST Methods Accepted

["Joe Teff" <joe () joeteff com>]

I'll refer back to my original response.

> GET parameters are cached in the browser and logged on the server (I'm 
> assuming SSL here). This can lead to replay attempts and data exposure.

These are problems that POST does not have.

> If your site expects POST requests, then a GET request can respresent an 
> attack (someone is trying values in the address line or maybe scripted).

This is a Detective measure rather than a Preventative measure.

I'll include another potential exposure by having sensative data in URLs. 
If there are any embedded http links in a page, then the URL (including 
paramters) are inserted into the HTTP Referer. Lets say you use an HTTP 
site for caching graphics. All requests for those graphics will include 
the URL of the page.

Joe

-----Original Message-----
From: "christopher baus" <christopher () baus net>
To: webappsec () securityfocus com
Date: Thu, 13 Oct 2005 18:04:22 -0000 (GMT)
Subject: RE: GET and POST Methods Accepted

> > Anyway I share this only because the original post seemed to focus on
> > GET vs. POST more than XSS. I restrict GET as much as possible in
> site
> > development because it can expose the inner workings of the site and
> > secure methodology or not, we all miss something from time to time.
>
> I don't understand this philosophy.  If you forget what is visible in
> the
> web browser and look at what is put on the wire, which is trivially
> viewed
> with packages like ethereal, the only difference between GET and POST
> requests is that the parameters for GET requests are on the request
> line
> and parameters for POST requests are in the body.  To me the security
> implications are practically identical.