>On 10 July 2012 20:57, Jeff Williams <jeff.williams_at_aspectsecurity.com>
wrote:
>> So if the API doesn't change, what exactly what are developers
>> supposed to do? Rewrite their app so that the form and form-handler
>> are different URLs? That seems extremely painful.
>
> All developers need to do is to specify the form handling URL and not
let it
> default to the page URL. The URL can be specified to be exactly the
form URL
> or something different, so the structure of the webapp does not need
to change.
That's a good point. I'll make sure that the OWASP guidance is updated
to address this.
> If any action should be taken, perhaps it should be suggested to the
W3C that
> HTTP spec be changed so that default form targets should not include
the query
> parameters?
Hmm.... there's some fault on both sides here, and I'd hate to see this
linger in a spec-finger-pointing war while people are vulnerable. I've
asked OWASP to look into gathering some numbers to see how widespread
this problem is.
I was really hoping that there was something more we could do to make
legacy apps safe. What about changing the default behavior to use POST
parameters first? There could be an override configuration in web.xml
if you want the current behavior.
--Jeff