We have a web app (GWT 2.7 ) from a vendor and we don't have any source codes.
Now we faced a vulnerability about HTTP Method Override for http header below
X-HTTP-METHOD
X-HTTP-Method-Override
X-METHOD-OVERRIDE
Fortify WebInspect report
Attack Request:
POST /CustomPortal/dispatch/GetCompaniesAction HTTP/1.1
Host:
10.4.202.26:8861User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3EE8E625356CC9E9E724C10285609299
X-GWT-Module-Base:
https://10.4.202.26:8861/CustomPortal/custom/Referer:
https://10.4.202.26:8861/CustomPortal/Content-Length: 311
Origin:
https://10.4.202.26:8861Pragma: no-cache
X-HTTP-METHOD: PUT
X-HTTP-Method-Override: PUT
X-METHOD-OVERRIDE: PUTConnection: Keep-Alive
X-WIPP: AscVersion=22.2.0....TRUNCATED...
Attack Response:
HTTP/1.1 200 OK
Set-Cookie: JSESSIONIDSSO=; path=/; HttpOnly; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; scriptsrc
'self' 'unsafe-inline' 'unsafe-eval';connect-src 'self' https: localhost;
Content-Disposition: attachment
Date: Fri, 21 Apr 2023 06:10:56 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Length: 177
Content-Type: application/json;charset=utf-8
//EX[3,0,2,1,0,1,["com...TRUNCATED...
Is there any way to disable these headers ?
Or is there any description to let me tell user this is NOT vulnerability ?
AP server is JBoss EAP 7.3.8 GA
Many thx!