Stupid web spammer tricks
I'd call these stupid spider tricks, except that these were so visibly committed by web spammers. (In one case they left me their spam, clearly visible.)
- you cannot take a
POSTform's form elements, turn them into query parameters, and then try to
- especially if you remove the existing query parameter on the URL of the form's target.
- you get modest bonus points if you
POSTyour query parameter laden URL instead of
GET'ing it. Not enough bonus points to make it work, though.
I have to admire the determined necessary to carefully program your
software to do stuff like this. Or, alternately, the gleeful blindness
required to ignore the fact that there are two ways of submitting form
data, and just implementing the easier one and using it for everything.
(In this view, the
GET person is at least being consistent;
his software may not implement
POST at all.)
The existence of these things depress me, because the fact that the web comment spammers do them suggests that they actually work against some blog software. And that's just sad, but then a lot of web software (starting with Apache) is very sloppy about this stuff.
POST requests in
GET form is especially bad because it
opens you up to lovely cross-site attacks if I can so much as persuade
you to click on a link. If you think this is obscure, consider how it
could be combined with cross-site authentication like OpenID to let it
to explicitly click something.)
Comments on this page:Written on 05 September 2006.