WebApp Sec: Re: GET and POST Methods Accepted

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: GET and POST Methods Accepted

From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Thu, 13 Oct 2005 10:57:33 +0200

On 12 Oct 2005 at 15:04, Welsh, Ed wrote:

If the site will accept the GET method for

form data and is vulnerable to XSS, the attack surface greatly increases over a site that is
vulnerable to XSS but only accepts the POST method.  POST is still attackable, but it becomes more
complicated than simply emailing a link.


An attacker can email a link to his/her own website/page, and this specially crafted page 
can contain a form (with method=POST and action being the vulnerable URL) followed by a 
piece of Javascript that submits this form. So XSS on POST method URLs isn't much more 
complicated than XSS on GET URLs.

-Amit

By Date By Thread

Current thread:

Re: GET and POST Methods Accepted, (continued)
- Re: GET and POST Methods Accepted Damien Watson (Oct 13)
- Re: GET and POST Methods Accepted Serg Belokamen (Oct 13)
- Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
- Re: GET and POST Methods Accepted Amit Klein (AKsecurity) (Oct 13)
- Re: GET and POST Methods Accepted John GALLET (Oct 13)
  - Re: GET and POST Methods Accepted Eoin Keary (Oct 13)
    - Re: GET and POST Methods Accepted John GALLET (Oct 13)
- Re: GET and POST Methods Accepted Paul Laudanski (Oct 18)
- RE: GET and POST Methods Accepted Derick Anderson (Oct 13)