Details
Alert ID 10058
Alert Type Active
Status release
Risk Informational
CWE 16
WASC 20
Technologies Targeted All
Tags CWE-16
OWASP_2017_A06
OWASP_2021_A04
POLICY_QA_FULL
POLICY_QA_STD
WSTG-V42-CONF-06
More Info Scan Rule Help

Summary

A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.

Solution

Ensure that only POST is accepted where POST is expected.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrules/GetForPostScanRule.java