I am facing a pen testing issue as below. Is there a way so that we can restrict the method as POST from the java-script end. Tried .setAttribute('method', 'POST') but that is breaking the application. Is there any other way to achieve this so that the pen testing issue can be resolved? I am using a stripes form and button as in the snippet below.
Request designed as POST is accepted as GET . The application will accept and process a request sent as a GET, even though it is designed to be used as a POST. A GET request exposes any included parameters in browser history, printed pages, and server logs. A POST prevents those exposures.
<stripes:form autocomplete="off" beanclass="com.demo.SubmitEmployeeAction" id="submitEmployeeForm" name="submitEmployeeForm">
$("#submitEmp").click(function(event){
event.preventDefault();
document.submitEmployeeForm.action='SubmitEmployee.action?submitEmployeeForm=';
$("#submitEmp").attr('disabled','disabled');
$("#submitEmployeeForm").submit();
});
<button id="submitEmp" class="grayBtnCancel" style="font-size: 93%;" >Submit Employee</button>
The issue is:
Any changes you make to the client to try to get it send only POST isn't going to change what the server will accept.
You can't trick this test with client-side code.
To stop the testing system from complaining, change the server so it throws a 405 Method Not Allowed response for GET requests to that URL.