Those headers don't come from GWT itself, they've been added by the application or some library/framework it uses on top of GWT. It looks like that app is using something like gwt-dispatch, gwt-sl or spring4gwt or something like that, but maybe homemade. What I'd do to tell if they're actually used/useful (in this specific case!):
1. open the WAR and look at the WEB-INF/web.xml (or possibly some other configuration files if it uses, e.g., Spring or whatever) to try to find the servlet class mapped to the /dispatch/GetCompaniesAction path (could be as easy as a class named GetCompaniesAction) 2. Decompile that class (using javap or an IDE) and look for a doPut(ServletRequest,ServletResponse) method. Possibly go up the class hierarchy until you find the RemoteServiceServlet. Depending on the application, that may not lead to anything, but if there's a doPut, changes are it will be used. Also look at the WEB-INF/web.xml for servlet filters, and at other configuration files (Spring mainly, if used) to see if there'd be some filter dedicated to handling those kind of headers. Anyway, as said: this doesn't come from GWT itself. (actually, I'd be more concerned about a Firefox 98 being used 😅) Now I don't know Fortify WebInspect so maybe I'm also misinterpreting what's reported here: if this is a request made by Fortify WebInspect (rather than one made "on the wild" and intercepted by the solution) then I don't see why it'd be reported as a vulnerability, it could be that the server completely ignores the headers, right? On Wednesday, April 26, 2023 at 11:37:00 AM UTC+2 cyclop...@gmail.com wrote: > We have a web app (GWT 2.7 ) from a vendor and we don't have any source > codes. > Now we faced a vulnerability about *HTTP Method Override* for http header > below > > *X-HTTP-METHOD* > > *X-HTTP-Method-Override* > *X-METHOD-OVERRIDE* > > Fortify WebInspect report > > Attack Request: > POST /CustomPortal/dispatch/GetCompaniesAction HTTP/1.1 > Host: 10.4.202.26:8861 > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) > Gecko/20100101 Firefox/98.0 > Accept: */* > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Content-Type: text/x-gwt-rpc; charset=utf-8 > X-GWT-Permutation: 3EE8E625356CC9E9E724C10285609299 > X-GWT-Module-Base: https://10.4.202.26:8861/CustomPortal/custom/ > Referer: https://10.4.202.26:8861/CustomPortal/ > Content-Length: 311 > Origin: https://10.4.202.26:8861 > Pragma: no-cache > X-HTTP-METHOD: PUT > X-HTTP-Method-Override: PUT > X-METHOD-OVERRIDE: PUT > Connection: Keep-Alive > X-WIPP: AscVersion=22.2.0....TRUNCATED... > > Attack Response: > HTTP/1.1 200 OK > Set-Cookie: JSESSIONIDSSO=; path=/; HttpOnly; Max-Age=0; Expires=Thu, > 01-Jan-1970 00:00:00 GMT > X-XSS-Protection: 1; mode=block > X-Frame-Options: SAMEORIGIN > Referrer-Policy: strict-origin-when-cross-origin > Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri > 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; scriptsrc > 'self' 'unsafe-inline' 'unsafe-eval';connect-src 'self' https: localhost; > Content-Disposition: attachment > Date: Fri, 21 Apr 2023 06:10:56 GMT > Connection: keep-alive > X-Content-Type-Options: nosniff > Content-Length: 177 > Content-Type: application/json;charset=utf-8 > //EX[3,0,2,1,0,1,["com...TRUNCATED... > > Is there any way to disable these headers ? > Or is there any description to let me tell user this is NOT vulnerability > ? > > AP server is JBoss EAP 7.3.8 GA > > Many thx! > > > -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/71934569-0a42-4892-9354-c8f527c22830n%40googlegroups.com.
