Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: GET and POST Methods Accepted

from [Eoin Keary] Network Security [Permanent Link]
Subject: Re: GET and POST Methods Accepted
Date: Thu, 13 Oct 2005 14:24:59 +0000 
Check for the use of GET when sending sensitive data as the payload is
in the URL and shall be logged by the webserver (HTTP request shall be
logged).

Data validation is key but confidentiality and information leakage by
bad design is also a concern.

Using GET on a login page for example: The authentication parameters
shall be logged on the server. Nice way to harvent account info if you
can get your hands on the logs.

-ek



On 13/10/05, John GALLET <john.gallet@wanadoo.fr> wrote:

Hi there,


Do any of you test for this issue - what are your results?


It is so easy (check curl lib for example if you want to send post data in
automated scripts) to provide your application with the data the way you
want it, be it GET, POST, COOKIE, that it's not even worth bothering
checking how it came in.

Test the contents of your data, not the way the vars were transmitted.

Same goes for anything provided by the client such as referrer for
example.

HTH
JG

PS : French speakers might be interested in
www.saphirtech.com/securite.html about what's totally useless in terms of
security considering how easy to spoof.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: myspace hack, Griffiths, Ian
Next by Date:  Re: User verification questions, Yousef Syed
Previous by Thread:  Re: GET and POST Methods Accepted, John GALLET
Next by Thread:  Re: GET and POST Methods Accepted, John GALLET
Indexes:  [Date] [Thread] [Top] [All Lists]