Journal yintercept's Journal: Hacking an HTML Form for first graders 2
I've read a number of PHP sites (and have spoken with supposed PHP gurus) who say that, as a security matter, web sites should never draw information from $_REQUEST. They should only draw data from $_POST or $_GET. Basically GET data is the stuff in the URL. POST data is the stuff that comes from a form with method set to "post".
Some of these wanks actually seem to think that POST data is somehow more secure than GET data. A hacker can manipulate GET data by typing stuff in the address bar.
Well, for folks who think that POST data is somehow more secure than GET, I thought I would write a quick tutorial on hacking POST data. Here Goes:
You can hack at a site that uses HTML forms by saving the form to your disk. You then use view source to edit the file. If the form used a relative URL, you would need to change that to an absolute URL. You then might want to change all of the type="hidden" submits to a type="text" submits.
With less than a half minute of effort a first grader can start hacking on a post form.
Most of the really serious hacking jobs I've detected on my sites have come from people using forms, and not from people manipulating the URI query string.
Anyone who buys the line that POST is somehow more secure than GET is suffering a serious lack of understanding of the way things work.
BTW, the reason that I am on this rant is that the impulse to distinugish between post and get is actually problematic for me. I am used to using an n-tiered approach to web development. Each layer of the structure exposes an interface to the next layer. The database layer, where I do most of the data validation, would want to know that the data came from the web server. It really dosn't care how the web client sent the data to the web server.
I can see some value to distinquishing between POST and GET in programs that actually produce web pages. I could even see merit in writing a code to help determine if a call is part of a hacking attack. However, I don't hold the illusion that such measures buy me any security.
Some of these wanks actually seem to think that POST data is somehow more secure than GET data. A hacker can manipulate GET data by typing stuff in the address bar.
Well, for folks who think that POST data is somehow more secure than GET, I thought I would write a quick tutorial on hacking POST data. Here Goes:
You can hack at a site that uses HTML forms by saving the form to your disk. You then use view source to edit the file. If the form used a relative URL, you would need to change that to an absolute URL. You then might want to change all of the type="hidden" submits to a type="text" submits.
With less than a half minute of effort a first grader can start hacking on a post form.
Most of the really serious hacking jobs I've detected on my sites have come from people using forms, and not from people manipulating the URI query string.
Anyone who buys the line that POST is somehow more secure than GET is suffering a serious lack of understanding of the way things work.
BTW, the reason that I am on this rant is that the impulse to distinugish between post and get is actually problematic for me. I am used to using an n-tiered approach to web development. Each layer of the structure exposes an interface to the next layer. The database layer, where I do most of the data validation, would want to know that the data came from the web server. It really dosn't care how the web client sent the data to the web server.
I can see some value to distinquishing between POST and GET in programs that actually produce web pages. I could even see merit in writing a code to help determine if a call is part of a hacking attack. However, I don't hold the illusion that such measures buy me any security.
Re: (Score:2)
Likewise the knowledge that GET calls are more susceptible to casual errors doesn't mean that a programmer can be lax in processing the data from POST data.
The real question about getting data from $_GET as opposed to $_REQUEST comes into play when the end user somehow changes calling method.
I really can't think of any common ci