Idea ID: 2830636

Issue with Security Scan of DCA login url

Status : New Idea


Password submitted using GET method - The page contains a form with the following action URL, which is submitted using the GET method: https://<dca_login_url>:5443/mngPortal/ . The form contains the following password field: password.

  • This is detected in the vulnerability scan using nexpose.

Recommended Solution

All forms submitting passwords should use the POST method. To achieve this, applications should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL. If you are not using this field remove it from the form.