WebApp Sec: Re: IIS log - GETs vs. POSTs

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: IIS log - GETs vs. POSTs

From: Lucas Holt <luke () foolishgames com>
Date: Sat, 30 Aug 2003 16:09:21 -0400

Bottom line, use POST when possible. Also buy an SSL key for webapplications.


I'd like to comment on this example:
<FORM METHOD="POST" ACTION="/cgi-bin/useradd.cgi?data">

In this case, aren't you posting to a URL with a query string? Theofficial reason for using POST requests is for bodies that are largerthan the common default accepted by user agents. Query strings canonly be so long. Information hiding is a side benefit.

I think people should realize that using POST does not make yourapplication secure in any way. You must check user input. I couldtake lynx, hack the source, and add a feature to change hiddenvariables on forms, etc. I've actually seen plugins to do that withMozilla. Programming web applications is far more serious thanconventional apps.. because EVERYONE can access/attack them. Its a lotlike having a windows machine on the internet with no firewall orpatches. :)



Lucas Holt
Luke () FoolishGames com

By Date By Thread

Current thread:

Fw: IIS log - GETs vs. POSTs Matt Fisher (Aug 30)
- Re: IIS log - GETs vs. POSTs Jeremy Poteet (Aug 30)
  - Re: IIS log - GETs vs. POSTs RSnake (Aug 30)
    - Re: IIS log - GETs vs. POSTs Lucas Holt (Aug 30)
    - Re: IIS log - GETs vs. POSTs RSnake (Aug 31)
- <Possible follow-ups>
- RE: IIS log - GETs vs. POSTs Calderon, Juan C (EM, DDEMESIS) (Sep 01)
  - RE: IIS log - GETs vs. POSTs RSnake (Sep 01)
    - RE: IIS log - GETs vs. POSTs Guille -bisho- (Sep 01)
    - RE: IIS log - GETs vs. POSTs RSnake (Sep 01)