From: Derick Anderson (dandersonvikus.com)
Date: Fri Oct 14 2005 - 07:00:48 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: christopher baus [mailto:christopherbaus.net]
> Sent: Thursday, October 13, 2005 2:04 PM
> To: webappsecsecurityfocus.com
> Subject: RE: GET and POST Methods Accepted
>
> > Anyway I share this only because the original post seemed
> to focus on
> > GET vs. POST more than XSS. I restrict GET as much as
> possible in site
> > development because it can expose the inner workings of the
> site and
> > secure methodology or not, we all miss something from time to time.
>
> I don't understand this philosophy. If you forget what is
> visible in the web browser and look at what is put on the
> wire, which is trivially viewed with packages like ethereal,
> the only difference between GET and POST requests is that the
> parameters for GET requests are on the request line and
> parameters for POST requests are in the body. To me the
> security implications are practically identical.

I think you are neglecting the human element a bit: if I hadn't seen the
URL string I wouldn't have thought to try cracking it. Sure, a
determined hacker/pentester will use ethereal to see what's going on,
but your average bored university student won't think to do it during
class. If I go to a site and I see
"site/page.asp?id=something&token=something" I get a lot more curious
than just seeing "site/page.asp".

Having said that I agree with you from a technical standpoint: what goes
over the wire goes over the wire, and cookie, post, or get, it doesn't
make a difference. But imagine now that the site is encrypted over SSL
(which in my case, it was) and it becomes less trivial.

Derick Anderson

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]