Description
Some vulnerability scanning tools report that the FortiOS admin webUI login page submits passwords using the GET method; the POST is suggested to be used instead.
the related keywords in such reports can be:
'Password Transmitted over Query String'
'Password field submitted using GET method'
'Password submitted using GET method'
'HTML form sends password in query string (/login)'
'Web Form Sending Credentials Using GET (PCI-DSS check)'
'Web application form sends credentials using HTTP GET request'
'Change web application forms to use HTTP POST instead'
'HTTP GET method in the login page'
Scope
FortiOS admin webUI
Solution
This is a False Alarm: FortiOS admin webUI login page will actually convert from GET method to POST when sending the login credentials to FortiOS.
In technical detail, the GET method in the login page has code like:
onsubmit='return false'; and before sending the actual request to the server, the HTTP request will be changed to a POST method through javascript code directly in the browse.
