Hello
I am using Apex 5.1 with Ords 3.0.2. in my company to create an internal app
A security company ran a security test over my application and they came up with some vulnerabilities - i fixed all of them. But I cannot find a solution for the following one:
POST to GET method interchangeable
The application choose to treat GET and POST method interchangeably.
In the login page the below request can be change to GET which gives the 200 OK response (Attached screenshot).
Reference:
https://curesec.com/blog/article/blog/Security-Implications-of-GETPOST-Interchangeability-166.html
POST /ords/wwv_flow.accept HTTP/1.1
Cookie: ORA_WWV_APP_104=ORA_WWV-KZh4oAvalzrHYkT4yXVE2kOX; LOGIN_USERNAME_COOKIE=naga003
p_flow_id=104&p_flow_step_id=101&p_instance=9849263080564&p_debug=&p_request=LOGIN&p_reload_on_submit=S&p_page_submission_id=220343225544545088139427000715128166794&p_json=%7B%22pageItems%22%3A%7B%22itemsToSubmit%22%3A%5B%7B%22n%22%3A%22P101_USERNAME%22%2C%22v%22%3A%22naga003%22%7D%2C%7B%22n%22%3A%22P101_PASSWORD%22%2C%22v%22%3A%22BhOOmavathi_19%22%7D%5D%2C%22protected%22%3A%22cz-PSOA6gDQbadXEeX9sdA%22%2C%22rowVersion%22%3A%22%22%7D%2C%22salt%22%3A%22220343225544545088139427000715128166794%22%7D
Basically they said the app treats post and get in the same way and this could be used by a hacker. I have looked on the internet for solutions but I cannot find anythign related.
Any ideas?
Thanks
Luise