Pantek Library

Hosting Provided By

CybrHost

High Speed Hosting

Re: When GET = POST?

From: Kevin Spett <kspett(at)spidynamics.com>
Date: Tue Nov 12 2002 - 10:45:34 EST

Consider a development team, where some developers check request methods before performing operations and some don't. If developers are inconsistent about method-checking, functionality could be broken, possibly in a way affecting security, by someone making a GET where it expected a POST. ie, data is only sanitized on POSTs, becuase one person wrote or modified that code, but the application will accept and process a GET, because someone else wrote that. Of course, the bottom line here is making your code consistent and able to handle both situations, but it's something to think about here.

Kevin Spett
SPI Labs
http://www.spidynamics.com/

Original Message ----- From: "Charles Miller" <cmiller@pastiche.org> To: <webappsec@securityfocus.com> Sent: Monday, November 11, 2002 3:28 PM Subject: Re: When GET = POST?

> Okay, so this is a pretty belated reply.
Received on Tue Nov 12 12:18:16 2002

This message: [ Message body ]
Next message: Daniel Hedrick: "Re: When GET = POST?"
Previous message: Jason Healy: "Re: When GET = POST?"
In reply to Charles Miller: "Re: When GET = POST?"
Next in thread: Daniel Hedrick: "Re: When GET = POST?"
Reply: Daniel Hedrick: "Re: When GET = POST?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT

Contact Us Legal Notices Order Services Online
Pantek Home Privacy Policy IT news Site Map Pantek Library