On Fri, Oct 16, 2020, 23:27 Eric Hamel <dantehick...@gmail.com> wrote:
> I apologize in advance for my vague question. Our Wicket 8 based > application was submitted to pen testing from our EISO. While I understand > the finding, I'm not 100% sure I understand the problem nor do I know how > to address it. > > In one of our complex forms that uses Ajax Calls to automatically update > the DB when the fields lose focus, the tester made the following remark: > > Applications accepts GET requests for coded POST Ajax calls – parameters > can be passed in URL > > It appears that through his "fuzzer", even though our requests are marked > as POST, it still processes GET requests. Is there a way to enforce POST ? > Is there any way to mitigate this issue globally from a configuration > standpoint ? > See Form#onMethodMismatch() >