How Vulnerable are query string parameters and their values?
I am curious how vulnerable a website is to hacking that has little validation on the query string params.
Some argue that:
1) an unrecognized query string parameter can do no harm
2) it's too much work, since the program is always in flux, so the "poor stepchild" would not keep up
3) the code to block this (locally at least) is fragile and will always delay a solid release
4) there will be many more failed log-ins than blocked hackers
What are your thoughts on this topic?
And how does using a Web Application Firewall change the discussion?
It seems that if the benefits to security were small or non-existent, the Security Industry would not waste its time closing this vulnerability.