
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
334
|
Chapter 10: Securing Web Servers
An HTTP GET request contains a header but no body. Apache handles the request
directly, assigning everything after the
? to the QUERY_STRING environment variable.
Since all the information is in the URL itself, a GET URL can be bookmarked or
repeated from the browser, without resubmitting a form. It can also be generated
easily by client-side or server-side scripting languages.
Although you may see some very long and complex GET URLs, web servers may
have size limits that silently snip your URL. Apache guards against GET buffer over-
flow attacks, but some other web servers and web cache servers may not.
Since all the parameters are in the URL, they also appear in the web-server logs. If
there is any sensitive data in the form, a POST URL should be used.
The
? and /cgi-bin advertise that this URL calls a CGI script called groucho.pl. You
may want the benefits of a GET URL without letting everyone know that this is a
CGI script. If an attacker knows you’re using Perl scripts on Apache, for instance, he
can target his attack more effectively. Another reason to hide the invocation of a
script involves making the URL more search-engine friendly. Many web search
engines skip URLs that look like CGI scripts. One technique uses the
PATH_INFO envi-
ronment