GET and POST Methods Accepted

["Welsh, Ed" <Ed.Welsh () fishnetsecurity com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I have begun stating this as an issue during assessments and wonder what you folks think of it.

Web sites are allowing a switch in method for requests and still processing the input.  I have been
able to analyze a site login form which is specified to use POST method and craft a URL (GET of
course) that the web server will still accept and process.  If the site will accept the GET method for
form data and is vulnerable to XSS, the attack surface greatly increases over a site that is
vulnerable to XSS but only accepts the POST method.  POST is still attackable, but it becomes more
complicated than simply emailing a link.

There used to be a substantial difference in how variables received via GET vs POST were stored.  That
difference had to be accounted for in the server code and would not lend itself to arbitrary method
switching.  This may disclose some of my ignorance, but it seems something has changed and application
systems are treating input values the same regardless of the method.

I have seen this recently on J2EE sites and CGI (PERL, PYTHON, Binary).

Do any of you test for this issue - what are your results?

Any other discussion is valued.

Ed Welsh
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2424)

iQEVAwUBQ01sNlcLJH9lmXCIAQgowAgAz4eUyEgXKIk7aveM09znkQVy4rUm640w
7M9XwRC2XnHo49MIc2CLsBa6d2yFbBsfhjw0L+hNRhWVnWRZsBv1Z+k61slZK0QU
qeQS4f3+6iVgqesLsRtFG6d7DI50tDuVFpIkrwosLL4OkVLFHrA56x3BkrByverx
pYa6SMihDMrVRl5dvIGecijObexHLM03gEembyTB2XJC5h+5Z3UNaGqt6kf4X0Dz
Y3pfBdQ5OH8XdVReW+AZJAimd40g/+qiiYhMbeKJzC0p3/7Yw1VOG9//OPKFi/wY
q79op1KikDcZ7l29YdI323gfI2G5WS3rJsdP00wM9X2IFEsdYR7n3A==
=zb7v
-----END PGP SIGNATURE-----