Penetration Test for Password

0
Hello Experts,    Our clients did penetration testing for the login page and they found that in login we are passing the user name and password in GET method. They suggested to pass those in a POST method.    But I am unable to reproduce this issue because login in Mendix is used by POST method so far I have seen.    So any idea on how to fix this. Answers are really much appreciated. 
asked
1 answers
0

We got the feedback a little differently: Mendix uses POST, but it can be changed to the supposedly less secure GET and then still works. We ignored it: you need to do some hackish stuff to change it to a GET call and there is no upside to doing so. The CVSS score was quite low iirc. Also I don't think there is much we as developers can do, it's a Mendix thing to allow GET on the login request handler.

answered