0

I am facing a pen testing issue as below. Is there a way so that we can restrict the method as POST from the java-script end. Tried .setAttribute('method', 'POST') but that is breaking the application. Is there any other way to achieve this so that the pen testing issue can be resolved? I am using a stripes form and button as in the snippet below.

Request designed as POST is accepted as GET . The application will accept and process a request sent as a GET, even though it is designed to be used as a POST. A GET request exposes any included parameters in browser history, printed pages, and server logs. A POST prevents those exposures.

<stripes:form  autocomplete="off" beanclass="com.demo.SubmitEmployeeAction" id="submitEmployeeForm"  name="submitEmployeeForm">

$("#submitEmp").click(function(event){
            event.preventDefault();
            document.submitEmployeeForm.action='SubmitEmployee.action?submitEmployeeForm=';
            $("#submitEmp").attr('disabled','disabled');
            $("#submitEmployeeForm").submit();

        });

<button id="submitEmp" class="grayBtnCancel"  style="font-size: 93%;" >Submit Employee</button>
avocadoLambda
  • 1,332
  • 7
  • 16
  • 33
user12872106
  • 21
  • 4
  • Confusing but you can block these requests with NGINX... Allow it only on pages where settings may be altered/etc... If you haven't... plunk the server behind nginx and set it up to protect you there. – BGPHiJACK Aug 18 '21 at 12:53
  • You can use a Stripes intercept to ensure that the HTTP method is correct. In my Stripes application, that's based on annotations on the Action methods (the "event" methods), so an incoming HTTP request for an Action/event target that requires POST can be rejected. It won't happen automatically; the application has to actively prevent it. – Pointy Aug 18 '21 at 12:56

1 Answers1

2

The issue is:

Request designed as POST is accepted as GET

Any changes you make to the client to try to get it send only POST isn't going to change what the server will accept.

You can't trick this test with client-side code.

To stop the testing system from complaining, change the server so it throws a 405 Method Not Allowed response for GET requests to that URL.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • The Stripes framework (somewhat old, but it still works) has ample facilities to enforce rules like HTTP method requirements. e: it should go without saying that it's not necessarily *simple*, because every application is different. – Pointy Aug 18 '21 at 13:05
  • @Quentin Can you pleaseelaborate what you mean with this 'To stop the testing system from complaining, change the server so it throws a 405 Method Not Allowed response for GET requests to that URL.' – user12872106 Aug 18 '21 at 13:15
  • @user12872106 the point is that it is up to code on the **server** to enforce HTTP method requirements. How exactly that works is a big topic. If your pen test has demonstrated that the server code does not do the enforcement, then the server is broken. – Pointy Aug 18 '21 at 13:18