Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Query parameters were passed in request URL

    Hi Isomorphic,

    Query parameters were passed over SSL and may contain sensitive information.

    When any post request is made using RPCManager, some isomorphic parameters are appended to query string automatically by the smartGWT framework as mentioned below.
    POST /myproject/project/getdetails?_csrf=abs-err0-4a78-8274-
    3803e7ab4388&isc_rpc=1&isc_v=v11.0p_2017-02-11&isc_xhr=1 HTTP/1.1

    Is there a way to pass these parameters as post data?

    Regards
    Sidharth


    #2
    _csrf does not come from the framework - you're adding that in application code, so if you are concerned about it, you should modify your code so that it appear in POST data instead.

    The others have no security implications. If you disagree, we will need to see a practical attack against a correctly configured SmartGWT application where these query parameters allow the attack to be carried out.

    Comment

    Working...
    X