月份: 十月 2022

The OSWAP GitHub page on Test HTTP Methods starts by listing the eight HTTP methods defined by RFC 2616 (HEAD, GET, POST, PUT, DELETE, TRACE, OPTIONS and CONNECT) but only mentions four that should be disabled (or sufficiently protected):

登入 — WordPress.com

The OSWAP GitHub page on Test HTTP Methods starts by listing the eight HTTP methods defined by RFC 2616 (HEAD, GET, POST, PUT, DELETE, TRACE, OPTIONS and CONNECT) but only mentions four that should be disabled (or sufficiently protected):

More specifically, the methods that should be disabled are the following:

  • PUT: This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (e.g.: an asp file that executes commands by invoking cmd.exe), or by simply using the victim’s server as a file repository.
  • DELETE: This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to mount a DoS attack.
  • CONNECT: This method could allow a client to use the web server as a proxy.
  • TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing, which has been discovered by Jeremiah Grossman (see links at the bottom of the page).

If an application needs one or more of these methods, such as REST Web Services (which may require PUT or DELETE), it is important to check that their usage is properly limited to trusted users and safe conditions.