Re: GET and POST Methods Accepted

[Serg Belokamen <serg.belokamen () gmail com>]

Hi,

I am not sure about Perl (cgi) but I know in PHP there are a number of
global arrays such as $_POST, $_GET and $_REQUEST. POST and GET arrays
keep corresponding data and developer decided on the order and
importance of processing the values. For example if system doesnt use
GET  at all, then $_POST array is the only one that is being used and
thus no GET values are utilised (user can attempt as much as they
like).

$_REQUEST array is a little different and in my opinon dangerous,
since that addresses exactly what you mentioned. All input values from
POST and GET methods get stored there and used  interchangeably. This
is when it could be possible to perform XSS attack assuming the
processing order on the server level (described later) is incorrect.
It is also largly depends on the environment setup. In case of PHP,
system admins. can define a setting that states the order input gets
processed (GET, then POST, then...) so all ilegal values would be
overiden. This is usually left as default by the way.

Finaly, there are systems that allow this behaviour since they want to
enable users to issue automated requests from remote scripts and doing
it in a single GET request makes perfect scence.

So bottom line, it completely depends on the aplication and its purpose.

My AU$0.2, hope it helped.

   Serg

P.S.
If site is explicitly saying "use POST" and get gets processed
regardless it is most likely that something like $_REQUEST is being
used and not specific HTTP method value arrays.

On 13/10/05, Welsh, Ed <Ed.Welsh () fishnetsecurity com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I have begun stating this as an issue during assessments and wonder what you folks think of it.
>
> Web sites are allowing a switch in method for requests and still processing the input.  I have been
> able to analyze a site login form which is specified to use POST method and craft a URL (GET of
> course) that the web server will still accept and process.  If the site will accept the GET method for
> form data and is vulnerable to XSS, the attack surface greatly increases over a site that is
> vulnerable to XSS but only accepts the POST method.  POST is still attackable, but it becomes more
> complicated than simply emailing a link.
>
> There used to be a substantial difference in how variables received via GET vs POST were stored.  That
> difference had to be accounted for in the server code and would not lend itself to arbitrary method
> switching.  This may disclose some of my ignorance, but it seems something has changed and application
> systems are treating input values the same regardless of the method.
>
> I have seen this recently on J2EE sites and CGI (PERL, PYTHON, Binary).
>
> Do any of you test for this issue - what are your results?
>
> Any other discussion is valued.
>
> Ed Welsh
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.2 (Build 2424)
>
> iQEVAwUBQ01sNlcLJH9lmXCIAQgowAgAz4eUyEgXKIk7aveM09znkQVy4rUm640w
> 7M9XwRC2XnHo49MIc2CLsBa6d2yFbBsfhjw0L+hNRhWVnWRZsBv1Z+k61slZK0QU
> qeQS4f3+6iVgqesLsRtFG6d7DI50tDuVFpIkrwosLL4OkVLFHrA56x3BkrByverx
> pYa6SMihDMrVRl5dvIGecijObexHLM03gEembyTB2XJC5h+5Z3UNaGqt6kf4X0Dz
> Y3pfBdQ5OH8XdVReW+AZJAimd40g/+qiiYhMbeKJzC0p3/7Yw1VOG9//OPKFi/wY
> q79op1KikDcZ7l29YdI323gfI2G5WS3rJsdP00wM9X2IFEsdYR7n3A==
> =zb7v
> -----END PGP SIGNATURE-----