Lock down your HTTP Verbs

Something that has come up in some of our testing recently is that some of our websites have HTTP verbs allowed that probably should be blocked – and with IIS they can be.

To recap, we’re use to the idea of GET or POST requests, but there are a lot more…

Standard Methods

  • HEAD
  • GET
  • POST
  • DELETE
  • PUT
  • CONNECT
  • OPTIONS
  • TRACE
  • PATCH

WebDAV Methods

  • PROPFIND
  • PROPPATCH
  • MOVE
  • COPY
  • LOCK
  • UNLOCK
  • MKCOL

Misc. Others

  • DEBUG
  • TRACK

Basically, the ones in bold I would block, including all the methods used in WebDav. The only reason I can find for allowing methods such as PUT, PATCH or DELETE is if one is implementing a RESTful API.

Otherwise, removing the other verbs reduces your attack surface and seems a sensible idea. Do note that penetration testing can sometimes return warnings about methods such as PUT or DELETE being available.

Advertisements
Lock down your HTTP Verbs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s