On Thu, 04 Nov 2004 10:04:08 -0500, Robert Sayre <[EMAIL PROTECTED]> wrote: > > Dare Obasanjo wrote: > > > > > I still don't get it. How does using a new HTTP method > > somehow prevent whatever problems you claim exist by > > using POST. Also you need to do a better job of > > explaining what these supposed problems are. > > > > Let's see. It's tough to make an exhaustive list, because POST is used > for all sorts of things, many of which are not idempotent > (PaceServiceError is), and the list of purposes its used for grows every > day. > > Cross-site scripting would be a good one. > > 1.) Evil person finds naive PHP script out there on the net. > 2.) Evil person manipulates honest clients into POSTing to it by giving > them bogus XML.
How, exactly, is evil person stopped from sending an ERROR but yet they can send a POST? > 3.) PHP script bombarded with POSTs from random clients. Using a new > verb makes it likely that a 405 would result. A DOS, or even DDOS attack is just that, an attack, and all of the methods under discussion here are all equally vulnerable to that. All the methods avoid using GET which allows a really simple img/@src method of triggering such a DDOS attack. > > Also, I'd like to note that the Pace doesn't say anything about a body > for the request. It's just a hit counter. > > Robert Sayre > > -- Joe Gregorio http://bitworking.org
