WebApp Sec mailing list archives
Re: GET and POST Methods Accepted
From: Paul Laudanski <zx () castlecops com>
Date: Mon, 17 Oct 2005 21:03:38 -0400 (EDT)
On Wed, 12 Oct 2005, Welsh, Ed wrote:
Web sites are allowing a switch in method for requests and still processing the input. I have been able to analyze a site login form which is specified to use POST method and craft a URL (GET of course) that the web server will still accept and process. If the site will accept the GET method for form data and is vulnerable to XSS, the attack surface greatly increases over a site that is vulnerable to XSS but only accepts the POST method. POST is still attackable, but it becomes more complicated than simply emailing a link.
Its easier for folks to copy direct links when params can be passed via GET, however, to your point, it would be much safer to permit such a thing if modsecurity is running. --- Paul Laudanski, Microsoft MVP Windows-Security http://castlecops.com - http://wiki.castlecops.com
Current thread:
- Re: GET and POST Methods Accepted, (continued)
- Re: GET and POST Methods Accepted christopher baus (Oct 12)
- Re: GET and POST Methods Accepted Stephen de Vries (Oct 13)
- Re: GET and POST Methods Accepted christopher baus (Oct 13)
- Re: GET and POST Methods Accepted Stephen de Vries (Oct 13)
- Re: GET and POST Methods Accepted Damien Watson (Oct 13)
- Re: GET and POST Methods Accepted Serg Belokamen (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted Amit Klein (AKsecurity) (Oct 13)
- Re: GET and POST Methods Accepted John GALLET (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted John GALLET (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted Paul Laudanski (Oct 18)
- RE: GET and POST Methods Accepted Derick Anderson (Oct 13)
- RE: GET and POST Methods Accepted christopher baus (Oct 13)
- RE: GET and POST Methods Accepted Joe Teff (Oct 13)
- RE: GET and POST Methods Accepted christopher baus (Oct 13)
- RE: GET and POST Methods Accepted Derick Anderson (Oct 14)
- Re: GET and POST Methods Accepted christopher baus (Oct 12)