0

GET and POST HTTPS methods are interoperable in Servlet

asked 2022-12-05 22:28:59 +0800

MKM gravatar image MKM
1

During our security analysis we have found that POST and GET HTTP methods are interoperable for the DHtmlUpdateServlet, its same for other servlet too.

This vulnerability can facilitate exploitation of CSRF (Cross Site Request Forgery) or XSS (Cross Site Scripting) attacks on the web-site. Moreover, it can lead to a confidentiality problem because you can find parameters in the browser history or in the server’s logs.

Is there any security report which confirms the protection against it.

Currently we are using verion : 9.6.0.2

delete flag offensive retag edit

1 Answer

Sort by » oldest newest most voted
0

answered 2022-12-06 15:05:49 +0800

MDuchemin gravatar image MDuchemin
2480 1 6
ZK Team

get contains the actual code: https://github.com/zkoss/zk/blob/master/zk/src/org/zkoss/zk/au/http/DHtmlUpdateServlet.java#L393

post is routed to get because they are expected to do the same thing (expected for most traffic): https://github.com/zkoss/zk/blob/master/zk/src/org/zkoss/zk/au/http/DHtmlUpdateServlet.java#L457

  • This URL is not reached by user actions, only automated Client-Engines /zkau request and responses

  • The distinction between post and get mostly matters when sending forms as "action", this is not the case with /zkau (the url used by the DhtmlUpdateServlet). Instead the servlet only receives Ajax calls with a payload (not get params or form content), which means that such request don't show up in the browser history, and their content is also not visible by inspecting the URL.

  • Additionally, the payload is encrypted when using SSL (https), which prevents MitM attacks, which cannot read the request body without the proper certificate exchange.

  • the DhtmlUpdateServlet doesn't serve pages. It receives client-side events and updates, and returns server-to-client updates and commands.

The other relevant servlet would be DhtmlLayoutServlet, which is in charge of receiving page requests, but the comments are mostly the same:

  • ZK doesn't rely on form action, so the distinction between post and get is mostly meaningless.

  • servlet output is expected to be the same for post and get.

As a result, this was reported a few times, but never considered to be a security risk in a ZK application.

This said, ZK is pretty flexible, and if you need to modify how the servlets act, you can absolutely extend the default servlets, modify doPost and doGet, and register your extended servlets in web.xml instead of the default layout and update servlets respectively.

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
1 follower

RSS

Stats

Asked: 2022-12-05 22:28:59 +0800

Seen: 6 times

Last updated: Dec 06 '22

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More