Replace HTTP GET with HTTP POST in IDP login.html

anoh.brou · November 9, 2018, 7:44pm

I am trying to replace all the HTTP GET with HTTP POST in the Login.html file. First of all I cannot find the login.html file and second of all, where do I go in CUBA to replace the HTTP GET with HTTP POST?

artamonov · November 9, 2018, 7:50pm

Hi,

Please do not use Community How Tos category for questions. It is meant to be used for guides from community, not for questions.

artamonov · November 9, 2018, 7:52pm

Could you please clarify, what login.html are you talking about? There is no login.html in CUBA itself.

Why do you think that CUBA uses GET for requests?

anoh.brou · November 9, 2018, 8:02pm

When I deployed the application, I found the login.html being created under folder \deploy\tomcat\webapps\app\idp.

anoh.brou · November 9, 2018, 8:11pm

I ran a Fortify Security process and here is one of the items in the report:
“The form in login.html submits a password as part of an HTTP GET request on line 39, which will
cause the password to be displayed, logged, and stored in the browser cache.Submitting a password
as part of an HTTP GET request will cause the password to be displayed, logged, or stored in a cache.”
Recommendation
Avoid sending sensitive data, such as passwords, via an HTTP GET request. Sensitive data should
travel from the browser to the server using HTTP POST, not HTTP GET.

artamonov · November 9, 2018, 8:14pm

First of all, this page is used only if IDP functionality is enabled. It is disabled by default on the server-side. Second - it sends login and password using AJAX POST, you can easily check its code.

Standard Web Client sends all data using AJAX POST.

anoh.brou · November 9, 2018, 8:17pm

Thank you so much for the quick reply. I will disable it.

artamonov · November 9, 2018, 8:18pm

It is already disabled, what are you trying to disable?

anoh.brou · November 9, 2018, 8:22pm

I keep getting dinged by the Fortify on Demand
Security Review for what it finds in the login.html file. I need to do something not to allow CUBA to generate that file so I can pass that security review. Fortify sees the HTTP GET in that file as a security vulnerability.

artamonov · November 9, 2018, 8:23pm

Your tool shows false positive results, open the file and check it manually. Form is sent using POST only.

anoh.brou · November 9, 2018, 8:47pm

I can’t even find POST in the code behind the form.

artamonov · November 11, 2018, 7:47am

Check login.js file (line 44):

$.ajax({
    type: "POST",
    url: "auth",
    data: JSON.stringify({
        username: $('.form-username').val(),
        password: $('.form-password').val(),
        serviceProviderUrl: serviceProviderUrl,
        responseType: responseType,
        locale: selectedLocale
    }),

anoh.brou · November 11, 2018, 1:32pm

Thank you so much for your help! I was able to figure it out and indeed it was a false positive as you suggested.