On Thu, Feb 28, 2008 at 2:40 PM, Sean <[EMAIL PROTECTED]> wrote: > I agree, also if you actually look at the request being sent to the > server, the only difference between POST and GET is on is in the header > where as the other is in the body. > > The only security it adds is a slight obscurity. >
/me facepalms This is NOT security through obscurity. This is explicitly declaring which method you're using. This is better from a security schema standpoint, a development standpoint, and a proper HTTP handling standpoint (and the exact opposite, really, of "security through obscurity" -- if you explicitly define what method you're using, you're avoiding obscurity on your end, especially when you're in a team development environment). Look guys, you're not using it because it'll trick hackers so when they only use GET requests you can say "WHEW! HA! THEY DIDN'T FIND MY UBER SECRET POST HANDLING REQUEST!ONE!!1". It's because better designed and standards enforcing code is better in a general security sense. Now, explicitly declaring it as POST will stop some CSRF attacks, but that's not the point. The point is that if you've written legible, properly written code, it's better in every aspect, especially security aspects. As a penetration tester, I can tell you with certainty that this in and of itself leads to a better security paradigm in your organization _and_ code. dw -- - http://stderr.ws/ "Insert pseudo-insightful quote here." - Some Guy _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
