RE: When GET = POST?

ASP offers both Request.Querystring & Request.Form which only deal exclusively with data from GET & POST operations respectively. For ASP when you observe GET variables being used where only POST'd variables should be applicable it will always come down to lazy (or at least uninformed) programmers as there *are* ways to avoid this problem.

The reason this problem comes about is that instead of querying just a specific collection of variables from the Request object it's also possible to query the entire Request object itself for a variable, so instead of using Request.Querystring("Blah") I could use Request("Blah"). This is not recommended because it queries the following collections from the request object in the order;

.Querystring
.Form
.Cookies
.ClientCertificate
.ServerVariables

Aside from being much slower than a request against a single collection it also allows you very little control over which collection it will return data from other than the order in which they are queried e.g. if variable "blah" is not found in the GET or POST data then potentially Request("Blah") could end up returning that variable from a cookie, client certificate or server variable!

Hope that helps...

Regards
Tony

-----Original Message-----
From: Chris Thomas [mailto:chris.thomas@lodoga.co.uk] Sent: 05 November 2002 10:54
To: webappsec@securityfocus.com
Subject: When GET = POST?

Hi,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

This has been troubling me for a while.

When pen testing web apps where a page POSTs data it often seems just as effective (and easier) to encode the data in the URL (i.e. use and HTTP GET ). Is guess this is because many server-side languages do not differentiate how a variable is set?

Whilst, from a pen test perspective, I can see there both positive and negative aspects to doing this, I'd like to understand it a bit better from the application designer's/ coder's viewpoint:

• Why does it happen? Is it just lazy coding or do languages like ASP offer no way to differentiate if data was POSTed or GETed?
• How is this situation handled in common server side languages such PHP, etc?

Chris Received on Sat Nov 9 10:15:06 2002