[Dshield] seems like a flaw in a yahoo url

Tom Laermans tom.laermans at powersource.cx
Fri Apr 23 22:33:57 GMT 2004


On Fri, 2004-04-23 at 15:53, Andy Streule wrote:

> some login systems dont put the login details in a url tho. those
> systems are safer arent they?

No, they aren't.

If you "see" the data in the URL, the page is using the HTTP GET
technique to fill out the form. There is no reason why the
client/script/whatever can not simply use the POST technique (with
"hidden" parameters), that doesn't make it more secure.

Tom
PowerSource Network Administrator




More information about the list mailing list