[UPHPU] receiving with $_REQUEST

Sean sean at lookin3d.com
Thu Feb 28 16:14:31 MST 2008


Joshua,
   
    Simply by saying that it's more secure because it's more 
standardized and better code design, doesn't make it more secure, if you 
can be hacked with request, you can be hacked by post and get too. 
Standards in this case adds no more security than using tabs in your 
code versus spaces. I do agree that it's the better practice overall, 
but that doesn't mean it's more secure, just better written.

Joshua Simpson wrote:
>
> On Thu, Feb 28, 2008 at 2:40 PM, Sean <sean at lookin3d.com 
> <mailto:sean at lookin3d.com>> wrote:
>
>     I agree, also if you actually look at the request being sent to the
>     server, the only difference between POST and GET is on is in the
>     header
>     where as the other is in the body.
>
>     The only security it adds is a slight obscurity.
>
>
> /me facepalms
>
> This is NOT security through obscurity.  This is explicitly declaring 
> which method you're using.  This is better from a security schema 
> standpoint, a development standpoint, and a proper HTTP handling 
> standpoint (and the exact opposite, really, of "security through 
> obscurity" -- if you explicitly define what method you're using, 
> you're avoiding obscurity on your end, especially when you're in a 
> team development environment).
>
> Look guys, you're not using it because it'll trick hackers so when 
> they only use GET requests you can say "WHEW! HA! THEY DIDN'T FIND MY 
> UBER SECRET POST HANDLING REQUEST!ONE!!1".  It's because better 
> designed and standards enforcing code is better in a general security 
> sense.  Now, explicitly declaring it as POST will stop some CSRF 
> attacks, but that's not the point.  The point is that if you've 
> written legible, properly written code, it's better in every aspect, 
> especially security aspects.   As a penetration tester, I can tell you 
> with certainty that this in and of itself leads to a better security 
> paradigm in your organization _and_ code.
>
>
> dw
>
> -- 
> -
> http://stderr.ws/
> "Insert pseudo-insightful quote here." - Some Guy 

-- 

Sean Thayne,
Exit12



More information about the UPHPU mailing list