IBM Security Verify

please I need how to check the type of request method if it will be GET or POST on infomaps which come from HTML page.

------------------------------
Hossam Mohamed
------------------------------

Hello Hossam,

I don't think this is currently possible but I heard something is planned for next release (although I cannot provide commitment or time frame for that).

Why do you need to know the method that was used?  You should get access to data provided either way.  Perhaps if we understand the requirement there is some other way it can be solved?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Sun February 07, 2021 05:24 PM
From: Hossam Mohamed
Subject: Verify http request method

please I need how to check the type of request method if it will be GET or POST on infomaps which come from HTML page.

------------------------------
Hossam Mohamed
------------------------------

Hello Jon,
I need to know the method used because I have create policy  that manage user login to a web application and the pentester raised an issue called "HTTP Request Interchange" that the POST request for user authentication was processed by changing the request type to GET which resulted in passing the details like
username and password in URL
so I need to check the request method before execution of infomap.

------------------------------
Hossam Mohamed
------------------------------

Original Message:
Sent: Mon February 08, 2021 06:05 AM
From: Jon Harry
Subject: Verify http request method

Hello Hossam,

I don't think this is currently possible but I heard something is planned for next release (although I cannot provide commitment or time frame for that).

Why do you need to know the method that was used?  You should get access to data provided either way.  Perhaps if we understand the requirement there is some other way it can be solved?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Sun February 07, 2021 05:24 PM
From: Hossam Mohamed
Subject: Verify http request method

please I need how to check the type of request method if it will be GET or POST on infomaps which come from HTML page.

------------------------------
Hossam Mohamed
------------------------------

Hossam,

I had a thought about how this could be accomplished today.  Looking at the "HTTP Transformation Rule" functionality in the Reverse Proxy, the transformation has access to the method of the request.

So, you could create a transformation rule which matches on AAC URLs and GET method and returns an error page.
For a more generic case you could use the transformation rule to read the method and populate it to an HTTP header. This would then be available in your InfoMap.

I'm afraid I don't have a concrete example of the HTTP Transformation Rule logic that would do this work but hopefully this points you in the right direction.  Maybe someone else can provide an example rule?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon February 08, 2021 07:25 AM
From: Hossam Mohamed
Subject: Verify http request method

Hello Jon,
I need to know the method used because I have create policy  that manage user login to a web application and the pentester raised an issue called "HTTP Request Interchange" that the POST request for user authentication was processed by changing the request type to GET which resulted in passing the details like
username and password in URL
so I need to check the request method before execution of infomap.

------------------------------
Hossam Mohamed

Original Message:
Sent: Mon February 08, 2021 06:05 AM
From: Jon Harry
Subject: Verify http request method

Hello Hossam,

I don't think this is currently possible but I heard something is planned for next release (although I cannot provide commitment or time frame for that).

Why do you need to know the method that was used?  You should get access to data provided either way.  Perhaps if we understand the requirement there is some other way it can be solved?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Sun February 07, 2021 05:24 PM
From: Hossam Mohamed
Subject: Verify http request method

please I need how to check the type of request method if it will be GET or POST on infomaps which come from HTML page.

------------------------------
Hossam Mohamed
------------------------------