Re: Apache Wicket - Enforcing POST on Ajax calls
Thanks I’ll try that ! — Eric Hamel Senior Project Manager Albany Information Technology Group C. 518-698-4503 > On Oct 16, 2020, at 4:32 PM, Martin Grigorov wrote: > > On Fri, Oct 16, 2020, 23:27 Eric Hamel wrote: > >> I apologize in advance for my vague question. Our Wicket 8 based >> application was submitted to pen testing from our EISO. While I understand >> the finding, I'm not 100% sure I understand the problem nor do I know how >> to address it. >> >> In one of our complex forms that uses Ajax Calls to automatically update >> the DB when the fields lose focus, the tester made the following remark: >> >> Applications accepts GET requests for coded POST Ajax calls – parameters >> can be passed in URL >> >> It appears that through his "fuzzer", even though our requests are marked >> as POST, it still processes GET requests. Is there a way to enforce POST ? >> Is there any way to mitigate this issue globally from a configuration >> standpoint ? >> > > > See Form#onMethodMismatch() > >> - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Apache Wicket - Enforcing POST on Ajax calls
On Fri, Oct 16, 2020, 23:27 Eric Hamel wrote: > I apologize in advance for my vague question. Our Wicket 8 based > application was submitted to pen testing from our EISO. While I understand > the finding, I'm not 100% sure I understand the problem nor do I know how > to address it. > > In one of our complex forms that uses Ajax Calls to automatically update > the DB when the fields lose focus, the tester made the following remark: > > Applications accepts GET requests for coded POST Ajax calls – parameters > can be passed in URL > > It appears that through his "fuzzer", even though our requests are marked > as POST, it still processes GET requests. Is there a way to enforce POST ? > Is there any way to mitigate this issue globally from a configuration > standpoint ? > See Form#onMethodMismatch() >
Apache Wicket - Enforcing POST on Ajax calls
I apologize in advance for my vague question. Our Wicket 8 based application was submitted to pen testing from our EISO. While I understand the finding, I'm not 100% sure I understand the problem nor do I know how to address it. In one of our complex forms that uses Ajax Calls to automatically update the DB when the fields lose focus, the tester made the following remark: Applications accepts GET requests for coded POST Ajax calls – parameters can be passed in URL It appears that through his "fuzzer", even though our requests are marked as POST, it still processes GET requests. Is there a way to enforce POST ? Is there any way to mitigate this issue globally from a configuration standpoint ?
