Microsoft Web Services Security Recommendation: Disable HTTP-GET

Mr. FoRK
Tue, 19 Mar 2002 23:11:13 -0800

The interesting bit is this HTML snippet:
--ms sample--

To Get Rich Quick!

--ms sample--

The bizarre thing, well, one of the bizarre things, okay, among the bizarre
things, is the path segment with 'ChangeXYZ' in it. (sure, sure, uri are
opaque and I should be spanked for reading between the slanty lines).
Why would you put a verb in a resource identifier? Wouldn't a GET on that be
safe, if the programmer made it safe? Don't web developers know that GET
should be safe? (okay, I did the same thing one time because it was
convenient, but it was a major mistake.)
The other example of a form POST is more realistic - but I'm amazed that MS
is suggesting turning off Web applications developed with .NET
And who would believe that an automated web service that has /no/ user
interface will be any bit safer?

And we won't even mention the @ in the middle of the query terms.

Perhaps MS is /trying/ to close off the port 80 'loophole' in the