WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: (clarification) GET and POST Methods Accepted

From: "Joe Teff" <joe () joeteff com>
Date: Thu, 13 Oct 2005 23:17:31 -0500
I see shortcuts taken a lot. An example is using ASP where Request
("variablename") is used to retreive a value rather than Request.Form
("variablename") or Request.QueryString("variablename"). When using the 
abbreviated form, ASP checks the QueryString, then Form, then Cookies, 
then ClientCertificate, then ServerVariables.

It's not uncommon in servlets to see a call to doPost from inside the 
doGet. Less common is when service is overridden instead of the doPost or 
doGet.

JSP's almost always use request.getParameter without checking the request 
method.

These are examples, not a definitive list of all languages, environments.

Joe


-----Original Message-----
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
To: <webappsec () securityfocus com>
Date: Thu, 13 Oct 2005 13:24:02 -0500
Subject: RE: (clarification) GET and POST Methods Accepted


1) Are other people seeing that the applications they test
accept GETs where they are intended/expecting to accept POSTs?

2) Are you seeing this more or less on specific platforms?
Previous By Date Next
Previous By Thread Next

Current thread: