POST Accepted as GET


Description

The application accepts HTTP POST requests as GET requests. In RFC 2616, which defines the HTTP protocol, the POST method is reserved for data submissions that change the state of the application whereas the GET method should be used for queries that do not. A number of attacks such as cross site scripting are facilitated when an attacker can inject malicious code in an easily-clicked URL using a GET request that has been converted from a POST request.

Impact

Attackers will take advantage of this vulnerability to increase likelihood of success with attacks such as Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF).  Instead of needing to submit a form to the server during an attack, an attacker can exploit this vulnerability by adding the malicious script or parameter into a URL. As a result, the attacker only needs to convince a user to click on a link. Additionally, accepting a GET as a POST can lead to accidental data disclosure if a developer inadvertently specifies the use of GET in an HTML form resulting in sensitive data being passed in the URL.  When the parameters are passed by GET, they stay in the browser history, are recorded in server logs, and passed in the Referrer header in the request made toward third parties.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply