[tor-access] Predicting effectiveness
John Graham-Cumming
jgc at cloudflare.com
Mon Oct 3 19:28:48 UTC 2016
On Mon, Oct 3, 2016 at 8:18 PM, Jeff Burdges <burdges at gnunet.org> wrote:
> Ok. GETs are not supposed to modify resources, right? So they should
> be considerably safer than POSTs, right?
>
When we are thinking about security (rather than the functionality of a web
application) there is often little difference between a GET and a POST.
Consider the following examples:
1. Benign GET / repeated 1000 times per second. That's a DoS on the server
2. Shellshock. Looks like a benign GET / but nasty payload in User-Agent
header
3. Simple GET but with SQLi in the URI
What are the concerns for GETs? Also, do those concerns apply to truly
> static content even?
>
Depends what you mean by 'static content'. If a web site was served
entirely from Cloudflare's cache then I wouldn't be worried about #1, #2 or
#3 above. Any time we hit the origin web server I would worry.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-access/attachments/20161003/f2508c48/attachment.html>
More information about the tor-access
mailing list