OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Curphey (mcurphey_at_onebox.com)
Date: Wed Jul 10 2002 - 17:42:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Page 28 of 93 talks about GET vs Post in forms based authentication.

    Pages 71 and 73 deals with HTML form manipulation issues and URL manipulation
    issues and discusses the problem.

    Page 80 talks about privacy considerations of communal browsers.

    The way I read it this wasn't about transport security (in transit).
    A group of people are updating the doc significantly and so I'll drop
    the a line to make sure the matter is discussed in detail and more prominant.

    ---- "Kevin Spett" <kspettspidynamics.com> wrote:
    > I do not see anything in the guide at all about best practices for
    > transport
    > security besides a section on SSL and TLS, which the poster is already
    > using.
    >
    >
    >
    > Kevin Spett
    > SPI Dynamics, Inc.
    > http://www.spidynamics.com/
    > ----- Original Message -----
    > From: "Mark Curphey" <mcurpheyonebox.com>
    > To: "Steven Fling" <SFLINGoppenheimerfunds.com>
    > Cc: <webappsecsecurityfocus.com>
    > Sent: Wednesday, July 10, 2002 3:43 PM
    > Subject: Re: Best Practices for passing data via HTTP
    >
    >
    > > You should find what you are looking for in the Common Attacks section
    > > of the OWASP Guide to Building Secure Web Apps....its under forms
    > field
    > > manipulation and URL manipulation in particular....
    > >
    > > Its at http://www.owasp.org
    > >
    > > ---- "Steven Fling" <SFLINGoppenheimerfunds.com> wrote:
    > > > Our application communicates across various application server
    > environments
    > > > via HTTP/HTTPS requests (versus RMI, etc.) and needs to pass
    > data/parameters
    > > > back and forth. Naturally we use SSL to encrypt the request/response.
    > > >
    > > > I wanted to see if there were any Best Practices established to
    > transfer
    > > > data in this fashion. POST vs. GET method, querystring vs. hidden
    > > > form variable, etc.
    > > >
    > > > Any insight would be appreciated!
    > > >
    > > > ____________________________________
    > > > Steve Fling
    > > > Managing Architect - Web Development
    > > > OppenheimerFunds, Inc.
    > > > sflingoppenheimerfunds.com
    > > > Office: 303.768.3200
    > > > FAX: 303.768.1096
    > > > http://www.oppenheimerfunds.com
    > > > ____________________________________
    > > >
    > > >
    > > > This electronic mail transmission may contain confidential information
    > > > and is intended only for the person(s) named. Any use, copying
    > or
    > > > disclosure by any other person is strictly prohibited. If you
    > have
    > > > received this transmission in error, please notify the sender via
    > e-mail.
    > > >
    > > >
    > >
    >