Hosting Provided By

RE: When GET = POST?

From: Glyn Geoghegan <glyn.geoghegan(at)corsaire.com>
Date: Thu Nov 14 2002 - 05:21:36 EST

Jeff Dafoe wrote:
>
> > I'm going to buck the trend here, and say that from the
Hi,

It is worth noting that 'practical' CSS attacks often rely on a GET request to a vulnerable site, including abuse of back-end processing of an expected POST. These are, for example, executed through a social-engineering email/website with a customised link containing the CSS attack.

AFAIK *this* form of CSS attack is only possible through a GET request, so its worth designing the apps to receive over POSTS, and to enforce that.

CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise.

DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated.

Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:info@corsaire.com Received on Thu Nov 14 16:10:14 2002

This message: [ Message body ]
Next message: sunzi: "Re: nikto output question"
Previous message: Glyn Geoghegan: "RE: When GET = POST?"
Maybe in reply to: Tony Welsh: "RE: When GET = POST?"
In reply to Jeff Dafoe: "Re: When GET = POST?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT