We have a web app (GWT 2.7 ) from a vendor and we don't have any source codes. Now we faced a vulnerability about *HTTP Method Override* for http header below
*X-HTTP-METHOD* *X-HTTP-Method-Override* *X-METHOD-OVERRIDE* Fortify WebInspect report Attack Request: POST /CustomPortal/dispatch/GetCompaniesAction HTTP/1.1 Host: 10.4.202.26:8861 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: text/x-gwt-rpc; charset=utf-8 X-GWT-Permutation: 3EE8E625356CC9E9E724C10285609299 X-GWT-Module-Base: https://10.4.202.26:8861/CustomPortal/custom/ Referer: https://10.4.202.26:8861/CustomPortal/ Content-Length: 311 Origin: https://10.4.202.26:8861 Pragma: no-cache X-HTTP-METHOD: PUT X-HTTP-Method-Override: PUT X-METHOD-OVERRIDE: PUT Connection: Keep-Alive X-WIPP: AscVersion=22.2.0....TRUNCATED... Attack Response: HTTP/1.1 200 OK Set-Cookie: JSESSIONIDSSO=; path=/; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; scriptsrc 'self' 'unsafe-inline' 'unsafe-eval';connect-src 'self' https: localhost; Content-Disposition: attachment Date: Fri, 21 Apr 2023 06:10:56 GMT Connection: keep-alive X-Content-Type-Options: nosniff Content-Length: 177 Content-Type: application/json;charset=utf-8 //EX[3,0,2,1,0,1,["com...TRUNCATED... Is there any way to disable these headers ? Or is there any description to let me tell user this is NOT vulnerability ? AP server is JBoss EAP 7.3.8 GA Many thx! -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/19c2d28c-e256-40fb-ba2e-0e204e31f936n%40googlegroups.com.
