HTML/Middle-click/Security question...

[Fraser Campbell]

On Saturday 10 March 2007 12:05, Madison Kelly wrote:

> > Switching from GET to POST adds no extra security whatsoever.  Now you
> > can forget about "middle-click" and go back to solving your real
> > problem.
> >
> > HTH,
>
> I have no doubt you are right (I myself have never claimed to be an
> expert in security). Could I ask though for you to elaborate a bit on
> why it doesn't help or what methods I could look at that might be better?

One advantage to POST is that the variables being passed along will not show 
up in web server logs (and proxy logs that might be intercepting requests).

If however you believe that you're limiting a user's knowledge of the 
application and/or limiting a user's ability to break the application by 
using POST and form variables (hidden or not) then that is not true at all - 
either GET or POST are user supplied variables that must be viewed with equal 
scepticism (i.e. validation).

I think another advantage to POST is that web accelerators (Google Web 
Accelerator as an example) will not prefetch pages that are sent via POST.  
If you have GET links on a page then you might have an accelerator 
inadvertently pre-fetch a page which has destructive, or unintented, 
consequences - not sure how prevelent this problem is.

Check out http://www.owasp.org/ and particularly the guide to building secure 
web applications and web services 
(http://superb-east.dl.sourceforge.net/sourceforge/owasp/OWASPGuide2.0.1.pdf) - 
I haven't read the this new version but I thought v1 of their document wasn't 
bad.

-- 
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists