We have a web app (GWT 2.7 ) from a vendor and we don't have any source codes. Now we faced a vulnerability about *HTTP Method Override* for http header below
*X-HTTP-METHOD* *X-HTTP-Method-Override* *X-METHOD-OVERRIDE* Fortify WebInspect report Attack Request: POST /CustomPortal/dispatch/GetCompaniesAction HTTP/1.1 Host: 10.4.202.26:8861 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: text/x-gwt-rpc; charset=utf-8 X-GWT-Permutation: 3EE8E625356CC9E9E724C10285609299 X-GWT-Module-Base: https://10.4.202.26:8861/CustomPortal/custom/ Referer: https://10.4.202.26:8861/CustomPortal/ Content-Length: 311 Origin: https://10.4.202.26:8861 Pragma: no-cache X-HTTP-METHOD: PUT X-HTTP-Method-Override: PUT X-METHOD-OVERRIDE: PUT Connection: Keep-Alive X-WIPP: AscVersion=22.2.0....TRUNCATED... Attack Response: HTTP/1.1 200 OK Set-Cookie: JSESSIONIDSSO=; path=/; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; scriptsrc 'self' 'unsafe-inline' 'unsafe-eval';connect-src 'self' https: localhost; Content-Disposition: attachment Date: Fri, 21 Apr 2023 06:10:56 GMT Connection: keep-alive X-Content-Type-Options: nosniff Content-Length: 177 Content-Type: application/json;charset=utf-8 //EX[3,0,2,1,0,1,["com...TRUNCATED... Is there any way to disable these headers ? Or is there any description to let me tell user this is NOT vulnerability ? AP server is JBoss EAP 7.3.8 GA Many thx! -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/19c2d28c-e256-40fb-ba2e-0e204e31f936n%40googlegroups.com.
