HTTP Method Vulnerability and solutions

Modified on Wed, 09 Jun 2021 at 03:01 PM

Method Vulnerability:

HTTP methods are considered to be vulnerable methods. Though this is rarely used for legitimate purposes, but it does help a potential attacker and can be considered a shortcut to find another hole. PATCH, PUT, DELETE, and TRACE are the most vulnerable methods. 

Through PUT and DELETE, a hacker can change or delete files from the server's file system, arbitrarily. Obviously, if these are enabled, it opens you to some dangerous attacks. File access permissions should be very strictly limited, if you absolutely must have these methods enabled.

TRACE can also be substantially misused, such as the classic Cross-Site Tracing (XST) attack, wherein an XSS vector can be utilized to retrieve Http only cookies, authorization headers, and such.

Using PATCH method, any user with HTML knowledge can simply modify the URI and ID of the form which is counted as unwanted bypass.


Solution:

To prevent these in Smarten the below attribute in the standalone.xml file (/smarten/wildfly/standalone/configuration/standalone.xml) has to be changed.

<http-listener> tag: disallowed-methods="HEAD OPTIONS TRACE"

 

 Please refer to Application Security Implementation Manual to learn more.




Note: This article is based on Smarten Version 5.0. This may or may not be relevant to the Smarten version you may be using.

 

 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article