Question

1
Replies
43
Views
Hao Sun (HaoS9285)
Sun Life Financial Inc.

Sun Life Financial Inc.
US
HaoS9285 Member since 2018 7 posts
Sun Life Financial Inc.
Posted: February 9, 2021
Last activity: August 9, 2021
Posted: 9 Feb 2021 14:22 EST
Last activity: 9 Aug 2021 9:10 EDT

Application accepts modified requests where the HTTP method is changed from POST to GET

Hi,

Our application recently undergone the security test, one of findings indicates that our application accepts modified requests where the HTTP method is changed from POST to GET. This may lead to exposure of the sensitive information transmitted in the URI string.

Recommendation:

1. Reject request which do not use the expected HTTP method.

2. Transmit all sensitive information in the encrypted body part of POST requests

 

Please help recommend solution to mitigate this issue.

 

Thank you!

Pega Platform 8.4.1 Security Insurance System Architect