| . |
|
Bitland.Net Security Notes
Comments? email jwilkins-at-bitland*net
More information on the author at Jonathan Wilkins's home page RSS feed available at http://www.bitland.net/index.rss 
|
| Archives: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000 |
| |
| |
| GET considered harmful | (2006/12/03 01:15) |
Ok, it's not quite that bad, but I'm seeing a ton of web application developers making the same mistake in the use of the GET method. Essentially, GET is only supposed to be used in cases where no data is being changed on the server. This is spelled out in the HTTP RFC (see RFC 2616 section 9 for details), and is responsible for at least a few major bugs over the years. I even recently came across this error on Yahoo's Developer Security Best Practice page (see the Request Forgery section). The HTTP/1.1 RFC says that GET and HEAD in particular are supposed to be safe and idempotent. This means that they should not perform any action other than retrieval (safe) and that there should be no side effects of multiple calls (idempotent). The most famous error of this type was when Google released the Google Web Accelerator (GWA). This broke a ton of applications and particularly those that were based on Ruby on Rails since applications built with Rails were especially prone to use GETs to perform actions. In order to speed up the user's experience GWA would pre-fetch all of the links on a page. This was great for images and so forth, but Rails applications were doing things like deleting records and cancelling accounts through GETs. The authors of some web applications made things worse by relying on JavaScript confirmations. Of course, GWA (correctly) wasn't doing JavaScript. |
| +digg | +del.icio.us | [Web ] | Permanent link |
| |
| RSS feed available at http://www.bitland.net/index.rss |