|
Posted by Volker Birk on July 2, 2007, 11:18 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Volker Birk wrote:
> >> GET and HEAD commands sent to a web server should do nothing but read
> >> some stuff. They shouldn't change anything.
> > Oh yes, they can. They can change some state in the web server, why not?
> Read the RFC: They shouldn't, and if you don't follow this, you run into a
> big load of problems like inconsistencies on load errors or Cross Site
> Request Forgery attacks.
Do you want to claim, that web applications, which are using GET
requests, are impossible to implement?
You're claiming here, that eBay don't exist BTW.
Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."
Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"
|
|
Posted by Sebastian G. on July 2, 2007, 11:31 am
If you were Registered and logged in, you could reply and use other advanced thread options
Volker Birk wrote:
>> Volker Birk wrote:
>>>> GET and HEAD commands sent to a web server should do nothing but read
>>>> some stuff. They shouldn't change anything.
>>> Oh yes, they can. They can change some state in the web server, why not?
>> Read the RFC: They shouldn't, and if you don't follow this, you run into a
>> big load of problems like inconsistencies on load errors or Cross Site
>> Request Forgery attacks.
>
> Do you want to claim, that web applications, which are using GET
> requests, are impossible to implement?
No. I claim they're impossible to implement correctly wrt. to how the
webbrowser as a client is modeled.
> You're claiming here, that eBay don't exist BTW.
No, I only claim that eBay is broken. Which it is, obviously.
Now will you please read my statement again? What part of "shouldn't" didn't
you understand?
|
|
Posted by Volker Birk on July 7, 2007, 4:17 am
If you were Registered and logged in, you could reply and use other advanced thread options > Now will you please read my statement again? What part of "shouldn't" didn't
> you understand?
I really don't understand how dumb a "discussion" can become.
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."
Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"
|
|
Posted by Sebastian G. on July 7, 2007, 5:21 am
If you were Registered and logged in, you could reply and use other advanced thread options
>> Now will you please read my statement again? What part of "shouldn't" didn't
>> you understand?
>
> I really don't understand how dumb a "discussion" can become.
Oh, that's quite easy: Just take a fool who doesn't understand that GET
requests are expected to not change the application state, but then doing so
leads to a inconsistency between server and client.
|
|
Posted by Mark Shroyer on July 7, 2007, 4:36 am
If you were Registered and logged in, you could reply and use other advanced thread options > Volker Birk wrote:
>
>>> GET and HEAD commands sent to a web server should do nothing but read
>>> some stuff. They shouldn't change anything.
>>
>> Oh yes, they can. They can change some state in the web server, why not?
>
> Read the RFC: They shouldn't, and if you don't follow this, you run into a
> big load of problems like inconsistencies on load errors or Cross Site
> Request Forgery attacks.
Using POST instead of GET won't necessarily stop cross-site request
forgeries, though, if an attacker can get his victim to execute a
little bit of JavaScript...
(Not that I disagree with you in general; allowing GET commands to
change an application's state is definitely bad joojoo.)
--
Mark Shroyer
http://markshroyer.com/
|
| Similar Threads | Posted | | How should I interpret these virus statements by F-Prot | April 28, 2007, 8:17 pm |
| How to Report - Online Frauds, Internet Scams and Phising Emails: -"Web and Internet" - Support & Network Group | March 21, 2006, 7:03 pm |
| Internet Security - Finding Someone On the Internet....How?!? | July 26, 2007, 11:54 pm |
| job on internet | April 26, 2005, 9:26 pm |
| Cant Get on the Internet | January 20, 2007, 11:34 am |
| Millionaire at 31 ... on the Internet | March 1, 2005, 10:00 am |
| internet vulnerabilities | June 22, 2007, 12:28 pm |
| Internet surf restrictions | February 2, 2005, 9:58 am |
| Internet Firewall FAQ in French | February 5, 2005, 4:40 pm |
| Internet Firewall FAQ in German | February 5, 2005, 4:47 pm |
|
XML site map