Re: [UPHPU] receiving with $_REQUEST

Thu, 28 Feb 2008 15:18:55 -0800 

Joshua,
Simply by saying that it's more secure because it's more standardized and better code design, doesn't make it more secure, if you can be hacked with request, you can be hacked by post and get too. Standards in this case adds no more security than using tabs in your code versus spaces. I do agree that it's the better practice overall, but that doesn't mean it's more secure, just better written. 

Joshua Simpson wrote:



On Thu, Feb 28, 2008 at 2:40 PM, Sean <[EMAIL PROTECTED] 
<mailto:[EMAIL PROTECTED]>> wrote:


    I agree, also if you actually look at the request being sent to the
    server, the only difference between POST and GET is on is in the
    header
    where as the other is in the body.

    The only security it adds is a slight obscurity.


/me facepalms


This is NOT security through obscurity.  This is explicitly declaring 
which method you're using.  This is better from a security schema 
standpoint, a development standpoint, and a proper HTTP handling 
standpoint (and the exact opposite, really, of "security through 
obscurity" -- if you explicitly define what method you're using, 
you're avoiding obscurity on your end, especially when you're in a 
team development environment).



Look guys, you're not using it because it'll trick hackers so when 
they only use GET requests you can say "WHEW! HA! THEY DIDN'T FIND MY 
UBER SECRET POST HANDLING REQUEST!ONE!!1".  It's because better 
designed and standards enforcing code is better in a general security 
sense.  Now, explicitly declaring it as POST will stop some CSRF 
attacks, but that's not the point.  The point is that if you've 
written legible, properly written code, it's better in every aspect, 
especially security aspects.   As a penetration tester, I can tell you 
with certainty that this in and of itself leads to a better security 
paradigm in your organization _and_ code.



dw

--
-
http://stderr.ws/

"Insert pseudo-insightful quote here." - Some Guy 


--

Sean Thayne,
Exit12


_______________________________________________

UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net

























					Reply via email to