Domain Names/Static IP
Managing, controlling, and support for Custom Domain Names
Male IT Specialist Holds Laptop and Discusses Work with Female Server Technician. They're Standing in Data Center, Rack Server Cabinet is Open.
mpcom
Visitor

Web application form sends credentials using HTTP GET request.

Hello,

 

Hopeing you can sed some light on this. We're failing a PCI compliance scan on our static IP and one of the reasons is "Web application form sends credentials using HTTP GET request." The resolution is to "change web application forms to use HTTP POST instead."

The address that is the problem is a login page for our IP/comcast business.
Example: https://XX-XX-XXX-XXX-static.hfc.comcastbusiness.net/login

Anyway that this can be changed to use POST instead of GET? Why is comcast using GET if it's vulnerable? Alternatively, from my research I've found that this could be a false positive on the scan, but without documentation from Comcast Business, the scan company will not list it as so.

For instance, I came across a company where they also have this issue - but GET was only used to input the login info, once it was entered, it changed to POST - therefore it was false positive as it was actually compliant.

Thank you.

Tags (1)
0 Kudos
Reply
1 REPLY 1
Official Employee

Re: Web application form sends credentials using HTTP GET request.

Hi there, thanks so much for taking the time to reach out to the Digital Care Team here through the forums and sorry to see that you are having issues with web applications. You have reached the right team to help get this taken care of. Can you please send a private message with your name, the full address, and phone/account number? 

0 Kudos
Reply