Stupid web spammer tricks
I'd call these stupid spider tricks, except that these were so visibly committed by web spammers. (In one case they left me their spam, clearly visible.)
- you cannot take a
POST
form's form elements, turn them into query parameters, and then try toGET
the result. - especially if you remove the existing query parameter on the URL of the form's target.
- you get modest bonus points if you
POST
your query parameter laden URL instead ofGET
'ing it. Not enough bonus points to make it work, though.
I have to admire the determined necessary to carefully program your
software to do stuff like this. Or, alternately, the gleeful blindness
required to ignore the fact that there are two ways of submitting form
data, and just implementing the easier one and using it for everything.
(In this view, the POST
to GET
person is at least being consistent;
his software may not implement POST
at all.)
The existence of these things depress me, because the fact that the web comment spammers do them suggests that they actually work against some blog software. And that's just sad, but then a lot of web software (starting with Apache) is very sloppy about this stuff.
(Accepting POST
requests in GET
form is especially bad because it
opens you up to lovely cross-site attacks if I can so much as persuade
you to click on a link. If you think this is obscure, consider how it
could be combined with cross-site authentication like OpenID to let it
be targeted. Add JavaScript, and I probably don't even need to get you
to explicitly click something.)
Comments on this page:
|
|