Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Hao Sun (HaoS9285)
Sun Life Financial Inc.

Sun Life Financial Inc.
US
HaoS9285 Member since 2018 9 posts
Sun Life Financial Inc.
Posted: Feb 9, 2021
Last activity: Aug 9, 2021
Posted: 9 Feb 2021 14:22 EST
Last activity: 9 Aug 2021 9:10 EDT
Closed

Application accepts modified requests where the HTTP method is changed from POST to GET

Hi,

Our application recently undergone the security test, one of findings indicates that our application accepts modified requests where the HTTP method is changed from POST to GET. This may lead to exposure of the sensitive information transmitted in the URI string.

Recommendation:

1. Reject request which do not use the expected HTTP method.

2. Transmit all sensitive information in the encrypted body part of POST requests

 

Please help recommend solution to mitigate this issue.

 

Thank you!

To see attachments, please log in.
Pega Platform 8.4.1
Security
Insurance
System Architect

Posted: 3 years ago
Posted: 9 Aug 2021 9:10 EDT
Gurneet Singh (GurneetS)
Societe Generale SA

Societe Generale SA
IN

@HaoS9285Hi, Where you able to resolve this vulnerability? 

I saw 1 possible mitigation is to Configure an Access Control list at server level .

Thanks and Regards Gurneet

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice