We identified the security finding on Integration Servers. The request methods GET and POST are interchangeable. It causes the IS to accept HTTP parameters from both GET and POST requests (and probably from other methods), regardless of the endpoint purpose.
Although this configuration is not a vulnerability on its own, it enables an attacker to exploit subsequent vulnerabilities (such as CSRF and reflected XSS) with fewer prerequisites and will also reduce the effectiveness of the security cookie attribute "SameSite" when configured to "Lax" (as we can use the Strict mode, actually just the first part -> “it enables an attacker to exploit subsequent vulnerabilities (such as CSRF and reflected XSS) with fewer prerequisites“ remains as a concern)
It is recommended to disable the interchangeability of the HTTP methods. Furthermore, the GET method should not be used to handle data designed to be stored.
[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVYEV","label":"IBM webMethods Integration"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.11"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFIWYE","label":"IBM webMethods B2B"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.11"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQG2X","label":"IBM webMethods Managed File Transfer"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.11"}]
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.