Last post Nov 11, 2009 12:21 PM by sunitha4ever
Nov 11, 2009 12:21 PM|sunitha4ever|LINK
My web application runs on IIS7 and Windows Server 2008. Right now, we are facing an issue where the application was found to accept parameters using the GET and POST HTTP Methods interchangeably. This provides 2 distinct methods for providing input to the
application and can make certain attacks more viable.
For example, if an attacker found a POST parameter which was vulnerable to cross site scripting(XSS), and GET and POST requests were interchangeable, the XSS attack could be performed via GET instead, allowing them to create a URL to send to potential victims.
I would be glad if someone could help me to resolve this issue.