The GET Method

When the GET method is used, all the parameters that are passed to the script are placed into global variables. In addition, they are also placed into the $HTTP_GET_VARS array, or $_GET for short. But there is more to come. The parameters are also displayed in the browser's URL field. Thus, when the above example code with passing name and password parameters is executed, the URL will change to this: http://192.168.77.1/param.php?UserName=Flenov&Password=qwerty.That is, the original URL is appended with a question sign followed by the parameters passed in the parameter_name=parameter_value format and delimited by the ampersand (&).

How safe do you think this method is? Good thinking! Any of the parameters can be easily changed manually without even changing the form's source code. When developing scripts you should make it as hard as possible for hackers to be able to be able manipulate parameters. For example, do not use the GET method to transmit passwords, because it can be easily intercepted.

Another problem with this method is its openness. Consider the password example again. When a user enters a password via this method, the password will be displayed in the browser's URL field. Anyone passing by at this time can see this password in there.

Therefore, use the GET method to send important data, and use the POST method for this instead. All this, however, does not mean that the GET method is totally useless. It simply has to be used with special care, and any data received through this method should be carefully checked.

The following are examples of situations in which the GET method can be used:

• When you are absolutely certain that the data sent are not important.
• When it is really necessary to use this method.

For example, when users have to be able to reference a page directly, without prior entering parameters on a separate form, or when some data have to be personalized.

The GET method is frequently used in partnership programs. These work as follows. Suppose you have registered as a partner of the www.arizona.com store and are entitled to a certain percentage of the sum paid for the merchandize sold on referrals from your site. How will the store know that a particular buyer was referred to them from your site? The easiest way of getting this done is to place a reference to Arizona on your site that has a GET parameter identifying you, for example: www.arizona.com?partner=profwebev. A script on the amizone.com server will check the Partner parameter for the name of a registered partner. If it contains one, the percentage has to be paid out.

There simply is not absolutely secure parameter passing method, but the GET method is too simple and makes it easy for hackers to use URL to search for vulnerabilities in your scripts. The easier to find the error is, the sooner it will be found, and then you can only pray that this error is not put to illicit use.

Another problem with GET requests is related to the search systems, especially the one as powerful as Google.com. Suppose you have found out that there is a weak spot in some site management system. What is a site management system? There are many payware and freeware software packages written in different languages for creating a website without requiring any knowledge of the conventional tools used to build website, such as HTML, CGI, ASP, PHP, and other technologies. Such packages can contain readymade forums, guest books, news pages, etc. There are packages for building just, say forums. For example, forum—building tools phpbb and ikonboard are very popular and are widely used on the Internet.

So if a hole is discovered in some site-building or forum-building program, all Internet sites built using these programs become vulnerable. Most site administrators do not subscribe to news postings and do not update their scripts; therefore, you just need to find a site built using the package with vulnerability and use an exploit to break in.

How can you find sites or forums containing the vulnerability? It's very easy. Most often, the script used on the site can be determined by the URL string. For example, suppose the forum page on the www.sitename.com is run the Invision Power Board engine. When the forum page is loaded into a browser, its address will look like the following:

http://www.sitename.ru/index.php?showforum=4

The text index.php?showforum= will be contained in the URL of any forum built using the Invision Power Board engine. To find such sites you need to conduct a Google search by this text:

inurl:index.php?showforum

There can also be other forum engines that use this text. To winnow them out, you can add some text to the search parameter. For example, by default each page of forums run by the Invision Power Board forums has the following text at the bottom: "Powered by Invision Power Board(U)." The text, of course, can be changed by the administrator, but in most cases it is left unchanged. So if you add this text to the search string you can be certain that the search results will only be the pages of the needed forum. Try to execute the following search:

Powered by Invision Power Board(U) inurl:index.php?showforum

You will see more than 150 thousand sites running forums built using this engine. Now when a vulnerability is discovered in Invision Power Board, you can easily find a victim to exploit this vulnerability. Far from all administrators will rush to patch this hole, while some of them will not patch it at all.

Try to run a search by inurl:amdin/index.php. You will see many interesting things; they will take your breath away. Such references are often used for some site administering tasks. Experienced administrators protect them with password and most of them will be inaccessible, but with those references that are not password protected, you can really have a field day.

Nevertheless, the GET method is necessary. Most sites contain no more than 10 script files, which display data on the page depending on the user choice. For example, consider the URL of the same forum in the example above:

http://www.sitename.ru/index.php?showforum=4

In this case, a script named index.php is called that is passed a parameter named showforum and number 4. Even without knowing the script's source code, it is easy to deduce that the script is supposed to show in the browser the forum identified in the site's database as number 4. Depending of the forum number, a different address will be displayed in the browser's URL field.

Unlike with the GET method, when the forum's number is passed using the POST method, no matter what forum page you may be viewing, its URL will look the same:

http://www.sitename.ru/index.php

This results in users not being able to bookmark this page, because the specific forum's URL is not available. Therefore, the GET method should be used when it is necessary to pass parameters uniquely identifying a page. At the same time, this method should not be used to pass any important data.