>The only difference between CSS attacks with POST vs GET methods is ease. >Its easier with the GET method because, as you have noticed, the attacker >can see the GET request in the location field of the browser. >POST requests are not visible this way so may appear more secure, BUT THEY >ARE NOT.
A GET is a little more insecure though...say i cant slip javascript in but i am allowed to post an img or iframe tag.. img src=http://your-server/cgi-bin/post.pl?whatever i want here as soon as your browser makes the request looking for even an image it will trigger the cgi script and hey there is another post on the board cant do that with a POST even if i can slip js in...to achieve a post i have to have my script write in an iframe then either load the html form and fill it in and submit it or write my own html form to it and submit it...both take more time on my end than just having a premade attack string then opening up the iframe with it as the url. (i am focusing on using CSS to make other surfers on a sight attack the server not using my own resources such as a perl script to post to the server)
