Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 02 > 110027.html (Request Expert securityfocus.com Support)

Re: When GET = POST?

From: Jason Healy <jhealy+webappsec(at)logn.net>
Date: Mon Nov 11 2002 - 22:50:44 EST

At 1037065312s since epoch (11/11/02 20:41:52 -0500 UTC), Jeff Dafoe wrote:
> I am glad someone else feels the way I do about this issue. In the case

Perhaps. While I'll admit it's anal-retentive to check the method, I usually do it for important things. Why? Because it adds that extra layer of protection. It's easy to check the method; why not use the functionality if it's available?

Most browsers will warn about the dangers of resubmitting POST data; this can be helpful as additionally reinforcment for users (for example, when submitting a credit card order). Sure, the data aren't any safer, but maybe (just maybe) the *operations* on those data are.

GET means GET; it's not supposed to perform irreversable operations. If you have a delete CGI like this:

http://hackme.example.com/cgi-bin/deleteUser.pl?userId=jbogus

And somebody sneaks that link into an image URL on an oft-visited bulletin board, then your app may perform a valid operation that the user didn't want. *your* app may be safe against XSS, but somebody else's might not be.

Yes, you can sucker a user into performing a POST as well, but it's more difficult (need more HTML, and probably scripting to do it without the user noticing).

Do you need help?X

Again, it's not the biggest deal in web programming, but I would consider it a best-practice kind of an issue. It's easy to check, so why not do it?

Jason 

-- 
Jason Healy
http://www.logn.net/
Received on Mon Nov 11 22:54:33 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library