.htaccess LIMIT misconfiguration

OWASP 2013-A5 OWASP 2017-A6 CWE-416 WASC-13

.htaccess is a configuration file that is used on internet servers running the Apache internet Server software package. Many HTTP methods are available on a web server like “GET”, “POST”, “OPTIONS” and many more. All these methods have a purpose and pose a risk in using any of these headers. Thetag helps the administrator to block any of these methods. Thistag is found inside the .htaccess file. Thetag blacklists the methods that can pose a threat to the application. As this tag follows a blacklist approach, the administrator might forget few of the methods. This negligence can have a significant impact on the application and might make the application vulnerable to attacks. There is another tag which prefers a whitelisting approach. The tag is.

Example

The code shows the example ofand.

        <Limit OPTIONS GET> </Limit>//This tag limits the usage of OPTIONS and GET.
        <LimitExcept GET POST> </LimitExcept> //This tag only allows GET and POST.

    

Impact

Iffunction is improperly used, the attacker might use methods to attack the server. Using the DELETE method, the attacker can DELETE resources from the server. The attacker can use other methods to temper with the server.

Mitigation / Precaution

Beagle recommends the following impacts:-

  • Use a whitelist approach to permit HTTP methods. Thetag is the best choice for implementing whitelisting approach.
        <LimitExcept GET POST>
        </LimitExcept>

    

The above tag will block every other tag other than “GET” and “POST”.

Latest Articles