GET and POST Interchangeability

In some applications, the HTTP methods GET and POST can be used interchangeably.

For example, the application may expect a POST request, and the frontend will also send the data in a POST request, but if the request is tampered with, the data will also be accepted in a GET request.

An example for this behavior would be Javas getParameter or PHPs $_REQUEST, which both deliver GET as well as POST parameters.

  • Is this generally considered a security issue? Is it documented somewhere, for example as a CWE or by OWASP?
  • Does this issue have a name?
  • What are the dangers of POST to GET downgrade? One example I could think of would be the possibility to exploit CSRF issues via img tags, which means an attacker can place CSRF payloads on websites where they cannot post scripts, making it considerably easier to exploit the issue. Are there other benefits for attackers?
  • What - if any - are the dangers of GET to POST change?


It is a bad practice as it makes the development more confusing in order to ensure that there is no overlay between the possible GET and POST parameters which are normally processed separately.

It also makes it a tiny bit easier for a hacker to benefit from a vulnerability in your site but it doesn't create breaches on its own.

In a well organized web application, the GET parameters are used for routing (page or module selection and relevant options) while POST parameters actually represent data submitted by the user. Following this simple guideline makes the development much more organized, so safer from errors on your end.

Category: web application Time: 2016-07-30 Views: 0

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C), All Rights Reserved.

processed in 0.234 (s). 12 q(s)