Remediate Vulnerability: Password field submitted using GET method

[aaronstephenson]

Acunetix scan reports this app uses GET to submit passwords. Passwords must be submitted using a POST request. This is a Medium vulnerability and is a priority.

[esmyers]

I definitely changed this last year and it is using a POST. Do you think it's the response methods that are causing the issue?

[esmyers]

Do we have a specific URL that was identified by the Acunetix scan?

There is an old test version of the DMS running in that bucket that uses the GET method. I deleted that application, but I'm trying to determine if there is still an issue with the current updated version of sigl.wim.usgs.gov/SiGLDMS/

[aaronstephenson]

It says it's hitting https://sigl.wim.usgs.gov/SiGLDMS/component/logInOut/login.html

Here's the specific section of the scan report:

[aaronstephenson]

You're probably right about the headers. This line is interesting:

The form's method attribute is either set to GET, or not defined at all, in which case it defaults to GET

So yeah, maybe it's the values in the Access-Control-Allow-Methods header?

[esmyers]

This should take care of it https://github.com/USGS-WiM/SiGLDMS/pull/254

• All that really needs to happen to disable the GET is to set the html <form method="post"> (login.html line: 13)
• I also set the header defaults to POST in the controller (line 80, never mind all the automatic formatting changes)
• As a result you'll get a 405 forbidden error if you type your creds directly into https://sigl.wim.usgs.gov/SiGLDMS/component/logInOut/login.html and try to submit

I have no way of testing that this is an acceptable fix for them, but based on the outline of the problem, this seems to have fixed the issue to the best of my knowledge.

[aaronstephenson]

Thanks @esmyers, I'm sure this will fix it. We'll know for sure during the next scan in December!