The Struts servlet combines doPost and doGet like you describe, so anyone
using Struts is doing this by default.
ColdFusion works much like you describe ASP.
So, yes, its common.
The tendency of most web higher-level (ie., higher than the Servlet API)
frameworks has been to make it possible for the developer to switch the HTML
back and forth between GET and POST without having to change the code that
accepts the form submission. This has convenience benefits, especially in
teams where the HTML is written by an different person than the code.
I think this is the first time I've seen a real discussion of the security
implications of this common design choice, although its obvious that many
have thought about it.
Jeff Robertson
Manager of Web Application Security
Digital Insight
-----Original Message-----
From: Joe Teff [mailto:joe@joeteff.com]
Sent: Friday, October 14, 2005 00:18
To: webappsec@securityfocus.com
Subject: RE: (clarification) GET and POST Methods Accepted
I see shortcuts taken a lot. An example is using ASP where Request
("variablename") is used to retreive a value rather than Request.Form
("variablename") or Request.QueryString("variablename"). When
using the
abbreviated form, ASP checks the QueryString, then Form, then
Cookies,
then ClientCertificate, then ServerVariables.
It's not uncommon in servlets to see a call to doPost from inside the
doGet. Less common is when service is overridden instead of
the doPost or
doGet.
JSP's almost always use request.getParameter without checking
the request
method.
These are examples, not a definitive list of all languages,
environments.
Joe
-----Original Message-----
From: "Evans, Arian" <Arian.Evans@fishnetsecurity.com>
To: <webappsec@securityfocus.com>
Date: Thu, 13 Oct 2005 13:24:02 -0500
Subject: RE: (clarification) GET and POST Methods Accepted
1) Are other people seeing that the applications they test
accept GETs where they are intended/expecting to accept POSTs?
2) Are you seeing this more or less on specific platforms?
