Re: GET and POST Methods Accepted

[Eoin Keary <eoinkeary () gmail com>]

Check for the use of GET when sending sensitive data as the payload is
in the URL and shall be logged by the webserver (HTTP request shall be
logged).

Data validation is key but confidentiality and information leakage by
bad design is also a concern.

Using GET on a login page for example: The authentication parameters
shall be logged on the server. Nice way to harvent account info if you
can get your hands on the logs.

-ek



On 13/10/05, John GALLET <john.gallet () wanadoo fr> wrote:
> Hi there,
>
> > Do any of you test for this issue - what are your results?
>
> It is so easy (check curl lib for example if you want to send post data in
> automated scripts) to provide your application with the data the way you
> want it, be it GET, POST, COOKIE, that it's not even worth bothering
> checking how it came in.
>
> Test the contents of your data, not the way the vars were transmitted.
>
> Same goes for anything provided by the client such as referrer for
> example.
>
> HTH
> JG
>
> PS : French speakers might be interested in
> www.saphirtech.com/securite.html about what's totally useless in terms of
> security considering how easy to spoof.