I apologize in advance for my vague question. Our Wicket 8 based application was submitted to pen testing from our EISO. While I understand the finding, I'm not 100% sure I understand the problem nor do I know how to address it.
In one of our complex forms that uses Ajax Calls to automatically update the DB when the fields lose focus, the tester made the following remark: Applications accepts GET requests for coded POST Ajax calls – parameters can be passed in URL It appears that through his "fuzzer", even though our requests are marked as POST, it still processes GET requests. Is there a way to enforce POST ? Is there any way to mitigate this issue globally from a configuration standpoint ?
