Skip to Main Content
Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Status Not under consideration
Workspace DataPower Gateway
Created by Guest
Created on Dec 12, 2018

GET and POST Interchangeable

The application was found to allow parameters using either the HTTP GET or POST methods interchangeably. This provides two separate HTTP method inputs to the application server which may have implications such as allowing certain attacks to be more effective and sensitive data being unnecessarily stored in URL access logs.
In the context of encrypted HTTP communication over TLS/SSL, POST method requests when converted to GET method ones may result in query parameters being appended behind the GET URL, which may inadvertently be stored in systems with URL access logging. Some of this information sent over in GET query parameters could potentially be sensitive.
In addition, the ability to swap between GET and POST methods could allow an attacker to carry out certain attacks more effectively, such as cross-site scripting (XSS) payloads embedded within a link or cross-site request forgery (CSRF) containing malicious actions, both of which could be delivered via simple URL link masquerading as a trusted resource. This is not possible with POST requests where parameters are sent in the HTTP request body. In certain cases, interchanging GET and POST requests may also allow an attacker to evade input validation on parameters using GET where POST is the expected method of delivery.

This RFE is requested as IBM directed to do so in case/PMR : TS001005338

Idea priority Medium
RFE ID 128256
RFE URL
RFE Product IBM DataPower Gateways