locked
GET AND POST are interchangeable RRS feed

  • Question

  • User-1149473135 posted

    Hi,

    My web application runs on IIS7 and Windows Server 2008. Right now, we are facing an issue where the application was found to accept parameters using the GET and POST HTTP Methods interchangeably. This provides 2 distinct methods for providing input to the application and can make certain attacks more viable.

    For example, if an attacker found a POST parameter which was vulnerable to cross site scripting(XSS),  and GET and POST requests were interchangeable, the XSS attack could be performed via GET instead, allowing them to create a URL to send to potential victims.

    I would be glad if someone could help me to resolve this issue.

    Wednesday, August 6, 2014 6:34 AM

Answers

All replies