Microsoft Web Services Security Recommendation: Disable HTTP-GET
Tue, 19 Mar 2002 23:11:13 -0800
The interesting bit is this HTML snippet:
To Get Rich Quick!
The bizarre thing, well, one of the bizarre things, okay, among the bizarre
things, is the path segment with 'ChangeXYZ' in it. (sure, sure, uri are
opaque and I should be spanked for reading between the slanty lines).
Why would you put a verb in a resource identifier? Wouldn't a GET on that be
safe, if the programmer made it safe? Don't web developers know that GET
should be safe? (okay, I did the same thing one time because it was
convenient, but it was a major mistake.)
The other example of a form POST is more realistic - but I'm amazed that MS
is suggesting turning off Web applications developed with .NET
And who would believe that an automated web service that has /no/ user
interface will be any bit safer?
And we won't even mention the @ in the middle of the query terms.
Perhaps MS is /trying/ to close off the port 80 'loophole' in the