Re: When GET = POST?

Comments inline...

On Tuesday, November 5, 2002, at 02:54 AM, Chris Thomas wrote:

> Hi,
>
> This has been troubling me for a while.

Yes they do. While the retrieval mechanism can make the differentiation completely transparent for the web application developer, it is always good practice to call the expected variable from the header that is expected.

>
> Whilst, from a pen test perspective, I can see there both positive and
> negative aspects to doing this, I'd like to understand it a bit better
> from the application designer's/ coder's viewpoint:

There are two reasons to consider using POST vs GET methods that come to mind from a developer perspective.

1. Obfuscation: POST hides the variables from the URL that can be easily seen in any web browser. This makes any possible attacker have to work harder to check what variables and data types are passed in a post form.
2. Amount of data and non-text data types: You can not pass binary data in the query string of a URL. Additionally, the HTTP RFCs limit the amount of data that can be passed in a GET header significantly to that

> - Why does it happen? Is it just lazy coding or do languages like ASP
> offer no way to differentiate if data was POSTed or GETed?
>

It is lazy coding and not secure.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> - How is this situation handled in common server side languages such

Turn globals off!!! That is a major security issue anyway. You can refer to a POST variable in PHP by using the $_POST array to access the data. For example, if you are expecting a value for a variable you named "article" you can reference that data by using $_POST['article']. If you are expecting it in a GET header you can do it the same by referencing $_GET['article'].

>
> Chris
>
Received on Sat Nov 9 10:14:08 2002