Following code-snippet is causing Veracode error CWE-201
function advice(tab){
var foo = document.getElementById("foo").value;
var bar = document.getElementById("bar").value;
tab.loader.load({
url : contextPath+"/test.do?method=helloWorld",
method : "POST",
params : {
method : "hi",
Foo : foo,
Bar : bar,
scripts : true
}
});
}
Don't know where I'm going wrong. Please correct me.
In a nutshell CWE 201 is about the risk of exposing sensitive information. I'm assuming the code snippet you shared is not the actual code because it is not easy to determine which part of the POST request potentially introduces such exposure.
The origins I see that can be marked by the scan as sources for sensitive data are the params you send over POST. If you think that this sensitive data is necessary to be sent then you must implement some form of access control check to ensure that only users with the right permissions can perform this action. Also ensuring that data is sent over HTTPS context is a good check in code as well.
I'm not sure about the underlying server-side web framework you are using so I can't make a code suggestion for the validation that will generate on top of this client-side call.
If the data is not sensitive in nature otherwise, then this is a false positive and you have to propose this to your security team.
On a side note, I don't think it's a good idea to control the method call over the URL or querystring. An attacker can guess or fuzz the list of valid methods it can send, and if your code does not have the proper authn/authz checks, your app/api can be exploited.