Symptoms

During Security Scanning they have identified the following issues

1. Body Parameters Accepted in Query
2. Query Parameter in SSL Request

Please find attached doc for more info.
 

Diagnoses

1. Body parameters accepted in Query
Although it is possible to add the parameters into the query, the BlockedBrowser page has no sensitive information in it and has no user input on the page itself.
Also the example given with the __VIEWSTATE parameter has no security risk associated with it as we do not store any information in any __VIEWSTATE field.
Thus in this instance there is no security risk.

2. Query Parameter in SSL Request
There is no security risk as the request being made is just to format the supplied date into a certain format, so no chance of leaking sensitive information.

 

Resolution


1. Body parameters accepted in Query
Although it is possible to add the parameters into the query, the BlockedBrowser page has no sensitive information in it and has no user input on the page itself.
Also the example given with the __VIEWSTATE parameter has no security risk associated with it as we do not store any information in any __VIEWSTATE field.
Thus in this instance there is no security risk.

2. Query Parameter in SSL Request
There is no security risk as the request being made is just to format the supplied date into a certain format, so no chance of leaking sensitive information.