|
|
Posted by Jochem Maas on 03/03/05 20:36
Richard Lynch wrote:
> Jochem Maas wrote:
>
>>Gareth Williams wrote:
>>
>>>Wouldn't using GET instead of POST help?
>>
>>in a way it could - but you don't usually want to use a GET as this
>>can be easily spoofed (i.e. anyone could send you a link or post one in a
>>forum
>>that would do the post action without warning you)
>>
>>which comes down to: you should be 'certified' if you use GET to allow
>>users to submit a payment confirmation - you only want a FORM to be able
>>to
>>submit such a confirmation rather than allowing any old link to issue such
>>a
>>confirmation....
>>
>>for a much better description on why using GET is 'bad' in this kind of
>>situation
>>I refer you to posts made by Richard Lynch (I think??) in the last 6 weeks
>>(can't remember the
>>subject Im afraid)
>
>
> Gah!
>
> I'm actually the one who said you should *NOT* fool yourself that POST is
> any "more secure" than GET.
oops!
>
> Only the dumbest of the dumb can't figure out how to save an HTML form and
> modify it to POST whatever they want to your script.
>
> Choosing POST over GET should be a matter of aesthetics, not security.
the point I was trying to make is that if you use POST then you know that the
user had to submit a form. the reason to use POST therefore is simply that
a _third_party_ cannot trick one of your users into clicking a link
that actually changes a
>
> I have many scripts that will behave "the same" with GET or POST input.
>
> Or, more correctly, would do the same thing if you were trying to spoof
> them with GET/POST input.
>
> The most common example is to view/edit a record in the database, I often
> use a link with GET to get to the edit page, and that has a FORM (POST) to
> the same page to update the record.
>
> I'll use REQUEST all over, and if somebody manages to break in and wants
> to use GET instead of POST to hack it, I don't see a hell of a lot of
> difference.
>
> If they're smart enough to get past the authentication, they're sure as
> hell smart enough to do a forged POST. [shrug]
you are right - actually I code pretty much the way you describe - but
I was meaning a situation where the user is not the hacker but that the hacker
is a third party trying to trick the user into performing an action....
which is a lot easier to do with out alerting the user if the relevant action
can be triggered by a GET.
imagine a link:
<a href="http://www.example.com?a=10&pay=MrX">so payment</a>
<a href="http://www.example.com?a=10000&pay=MrHacker">read more</a>
then image that as a FORM.
my point is that the link is alot easier to drop into someone (elses) site than
a form.
but yes you are right when it comes down to it. thanks for the catch.
remind me again why we acknowledge the difference between POST and GET in 2005?
>
> GET is only "easier" to spoof that POST if you're comparing really really
> really stupid people with really really stupid people...
so you have met parents
>
Navigation:
[Reply to this message]
|