Daniel Coughlin wrote: > The only difference between CSS attacks with POST vs GET methods is ease. > Its easier with the GET method because, as you have noticed, the attacker > can see the GET request in the location field of the browser. > POST requests are not visible this way so may appear more secure, BUT THEY > ARE NOT. Say you have a guestbook that accepts POST request. (First of all - > if your client code doesnt filter script tags, we could just type a mean > javascript into the text entry fields). Now lets imagine you *do* filter > script tags out of the input with your client code -The attacker can still > 1)turn off javascript to break through you client side filtering or 2)use a > perl or python script to bypass the client all together. Now everyone > viewing your guestbook will get hit with the mean javascript. POSTing to a > form via a perl script is as simple as looking at the form source code. >
Well said. > The moral is is to do client as well as server side checking for malicious > code. I would say that doing client-side checking should be done purely for user convienience and not security. "never trust client-side data".
