On Fri, Oct 16, 2020, 23:27 Eric Hamel <dantehick...@gmail.com> wrote:

> I apologize in advance for my vague question. Our Wicket 8 based
> application was submitted to pen testing from our EISO. While I understand
> the finding, I'm not 100% sure I understand the problem nor do I know how
> to address it.
> In one of our complex forms that uses Ajax Calls to automatically update
> the DB when the fields lose focus, the tester made the following remark:
> Applications accepts GET requests for coded POST Ajax calls – parameters
> can be passed in URL
> It appears that through his "fuzzer", even though our requests are marked
> as POST, it still processes GET requests. Is there a way to enforce POST ?
> Is there any way to mitigate this issue globally from a configuration
> standpoint ?

See Form#onMethodMismatch()


Reply via email to