HTTP Method Vulnerability Found

OWASP 2013-A5 OWASP 2017-A6 CWE-650 WSTG-CONF-06

The HTTP has many numbers of methods that used for performing actions on the server. Most of them used for the production system, but many of them designed for testing of the HTTP application. That leads to high threat because of the system misconfiguration. Everyone knows the GET and POST they are the most common HTTP methods. As of today standards, there are eight methods available.

  • HEAD
  • GET
  • POST
  • PUT
  • DELETE
  • TRACE
  • OPTIONS
  • CONNECT

The most of them are potentially harmful if it not appropriately configured. These methods are much powerful as they can use for modify files and save on web server, in worst case scenarios it can use for stealing credentials and valuable information.

  • PUT: With the PUT method, the user can upload a file to the server. So that reason attacker can also upload malicious scripts to the server.
  • DELETE: The DELETE method can perform the deletion of a file in the server. It gives leverage to the attacker to perform attacks on the server and also can mount a Dos attack.
  • CONNECT: The CONNECT method helps the user to use the web server as a proxy.
  • TRACE: The TRACE method used for sending strings to the server, and it echoes back to the client. TRACE is primarily to debug. This method can be used to perform the Cross Site Tracing.

Example

This can be checked by running the command using netcat

        $ nc www.victim.com 80
        OPTIONS / HTTP/1.1
        Host: www.victim.com
        
        HTTP/1.1 200 OK
        Server: Microsoft-IIS/5.0
        Date: Tue, 31 Oct 2006 08:00:29 GMT
        Connection: close
        Allow: GET, HEAD, POST, TRACE, OPTIONS
        Content-Length: 0

    

Impact

The vulnerability can be exploited using cross-site scripting. This can be leaveraged using two methods:-

  • Client side
  • Another server

This is usually done using TRACE.

Mitigation / Precaution

The vulnerability can be fixed by:-

  • Explicitly checked for a “GET” or “POST” method would be safe.
  • Disable methods that are not in use or enabled for debugging.

Latest Articles