FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ericwang_FTNT
Article Id 190693

Description
Some vulnerability scanning tools report that the FortiOS admin webUI login page submits passwords using the  GET method; the POST is suggested to be used instead.

the related keywords in such reports can be:

'Password Transmitted over Query String'

'Password field submitted using GET method'
'Password submitted using GET method'
'HTML form sends password in query string (/login)'
'Web Form Sending Credentials Using GET (PCI-DSS check)'
'Web application form sends credentials using HTTP GET request'
'Change web application forms to use HTTP POST instead'
'HTTP GET method in the login page'

Scope
FortiOS admin webUI

Solution
This is a False Alarm: FortiOS admin webUI login page will actually convert from GET method to POST when sending the login credentials to FortiOS.

In technical detail, the GET method in the login page has code like:
onsubmit='return false'; and before sending the actual request to the server, the HTTP request will be changed to a POST method through javascript code directly in the browse.


Contributors