WebApp Sec mailing list archives

Re: GET and POST Methods Accepted

From: Paul Laudanski <zx () castlecops com>
Date: Mon, 17 Oct 2005 21:03:38 -0400 (EDT)

On Wed, 12 Oct 2005, Welsh, Ed wrote:

Web sites are allowing a switch in method for requests and still processing the input.  I have been
able to analyze a site login form which is specified to use POST method and craft a URL (GET of
course) that the web server will still accept and process.  If the site will accept the GET method for
form data and is vulnerable to XSS, the attack surface greatly increases over a site that is
vulnerable to XSS but only accepts the POST method.  POST is still attackable, but it becomes more
complicated than simply emailing a link.


Its easier for folks to copy direct links when params can be passed via 
GET, however, to your point, it would be much safer to permit such a thing 
if modsecurity is running.

---
Paul Laudanski, Microsoft MVP Windows-Security
http://castlecops.com - http://wiki.castlecops.com

Current thread:

Re: GET and POST Methods Accepted, (continued)
- Re: GET and POST Methods Accepted christopher baus (Oct 12)
  - Re: GET and POST Methods Accepted Stephen de Vries (Oct 13)
    - Re: GET and POST Methods Accepted christopher baus (Oct 13)
- Re: GET and POST Methods Accepted Damien Watson (Oct 13)
- Re: GET and POST Methods Accepted Serg Belokamen (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted Amit Klein (AKsecurity) (Oct 13)
- Re: GET and POST Methods Accepted John GALLET (Oct 13)
  - Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
    - Re: GET and POST Methods Accepted John GALLET (Oct 13)
- Re: GET and POST Methods Accepted Paul Laudanski (Oct 18)
- RE: GET and POST Methods Accepted Derick Anderson (Oct 13)
  - RE: GET and POST Methods Accepted christopher baus (Oct 13)
    - RE: GET and POST Methods Accepted Joe Teff (Oct 13)
- RE: GET and POST Methods Accepted Derick Anderson (Oct 14)