.htaccess is a configuration file that is used on internet servers running the Apache internet Server software package. Many HTTP methods are available on a web server like “GET”, “POST”, “OPTIONS” and many more. All these methods have a purpose and pose a risk in using any of these headers. The tag helps the administrator to block any of these methods. This tag is found inside the .htaccess file. The tag blacklists the methods that can pose a threat to the application. As this tag follows a blacklist approach, the administrator might forget few of the methods. This negligence can have a significant impact on the application and might make the application vulnerable to attacks. There is another tag which prefers a whitelisting approach. The tag is .
Example
The code shows the example of and .
<Limit OPTIONS GET></Limit>//This tag limits the usage of OPTIONSand GET.
<LimitExcept GET POST></LimitExcept>//This tag only allows GET and POST.
Impact
If function is improperly used, the attacker might use methods to attack the server. Using the DELETE method, the attacker can DELETE resources from the server. The attacker can use other methods to temper with the server.
Mitigation / Precaution
Beagle recommends the following impacts:-
Use a whitelist approach to permit HTTP methods. The tag is the best choice for implementing whitelisting approach.
<LimitExcept GET POST>
</LimitExcept>
The above tag will block every other tag other than “GET” and “POST”.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.
