I'll refer back to my original response.
GET parameters are cached in the browser and logged on the server (I'm
assuming SSL here). This can lead to replay attempts and data exposure.
These are problems that POST does not have.
If your site expects POST requests, then a GET request can respresent an
attack (someone is trying values in the address line or maybe scripted).
This is a Detective measure rather than a Preventative measure.
I'll include another potential exposure by having sensative data in URLs.
If there are any embedded http links in a page, then the URL (including
paramters) are inserted into the HTTP Referer. Lets say you use an HTTP
site for caching graphics. All requests for those graphics will include
the URL of the page.
Joe
-----Original Message-----
From: "christopher baus" <christopher@baus.net>
To: webappsec@securityfocus.com
Date: Thu, 13 Oct 2005 18:04:22 -0000 (GMT)
Subject: RE: GET and POST Methods Accepted
Anyway I share this only because the original post seemed to focus on
GET vs. POST more than XSS. I restrict GET as much as possible in
site
development because it can expose the inner workings of the site and
secure methodology or not, we all miss something from time to time.
I don't understand this philosophy. If you forget what is visible in
the
web browser and look at what is put on the wire, which is trivially
viewed
with packages like ethereal, the only difference between GET and POST
requests is that the parameters for GET requests are on the request
line
and parameters for POST requests are in the body. To me the security
implications are practically identical.
