[UPHPU] receiving with $_REQUEST

Joshua Simpson std3rr at gmail.com
Thu Feb 28 16:06:54 MST 2008


On Thu, Feb 28, 2008 at 2:40 PM, Sean <sean at lookin3d.com> wrote:

> I agree, also if you actually look at the request being sent to the
> server, the only difference between POST and GET is on is in the header
> where as the other is in the body.
>
> The only security it adds is a slight obscurity.
>

/me facepalms

This is NOT security through obscurity.  This is explicitly declaring which
method you're using.  This is better from a security schema standpoint, a
development standpoint, and a proper HTTP handling standpoint (and the exact
opposite, really, of "security through obscurity" -- if you explicitly
define what method you're using, you're avoiding obscurity on your end,
especially when you're in a team development environment).

Look guys, you're not using it because it'll trick hackers so when they only
use GET requests you can say "WHEW! HA! THEY DIDN'T FIND MY UBER SECRET POST
HANDLING REQUEST!ONE!!1".  It's because better designed and standards
enforcing code is better in a general security sense.  Now, explicitly
declaring it as POST will stop some CSRF attacks, but that's not the point.
The point is that if you've written legible, properly written code, it's
better in every aspect, especially security aspects.   As a penetration
tester, I can tell you with certainty that this in and of itself leads to a
better security paradigm in your organization _and_ code.


dw

-- 
-
http://stderr.ws/
"Insert pseudo-insightful quote here." - Some Guy


More information about the UPHPU mailing list