Apache .htaccess LIMIT misconfiguration

By
Manieendar Mohan
Published on
29 Jun 2018
1 min read
Vulnerability

.htaccess is a configuration file that is used on internet servers running the Apache internet Server software package. Many HTTP methods are available on a web server like “GET”, “POST”, “OPTIONS” and many more. All these methods have a purpose and pose a risk in using any of these headers. The tag helps the administrator to block any of these methods. This tag is found inside the .htaccess file. The tag blacklists the methods that can pose a threat to the application. As this tag follows a blacklist approach, the administrator might forget few of the methods. This negligence can have a significant impact on the application and might make the application vulnerable to attacks. There is another tag which prefers a whitelisting approach. The tag is .

Example

The code shows the example of and .

        <Limit OPTIONS GET> </Limit>//This tag limits the usage of OPTIONS and GET.
        <LimitExcept GET POST> </LimitExcept> //This tag only allows GET and POST.

    

Impact

If function is improperly used, the attacker might use methods to attack the server. Using the DELETE method, the attacker can DELETE resources from the server. The attacker can use other methods to temper with the server.

Mitigation / Precaution

Beagle recommends the following impacts:-

  • Use a whitelist approach to permit HTTP methods. The tag is the best choice for implementing whitelisting approach.
        <LimitExcept GET POST>
        </LimitExcept>

    

The above tag will block every other tag other than “GET” and “POST”.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.