Test HTTP Methods

Description

HTTP offers a number of methods that can be used to perform actions on the web server (the HTTP/1.1 standard refers to them as methods, but they are also often called verbs). While GET and POST are by far the most common, HTTP additionally defines methods such as PUT, DELETE, CONNECT, OPTIONS, and TRACE. If an application is misconfigured to accept or process these uncommon methods without proper restrictions, it can lead to various attack vectors including file overwrite, unauthorized state changes, or information disclosure. A robust HTTP method policy helps mitigate these threats by limiting which methods the server is allowed to process and how it processes them.

Remediation

Restrict the allowed HTTP methods to only those required by your application (commonly GET and POST). Configure your server or application framework to block or return an error for unsupported methods (like PUT, DELETE, CONNECT, OPTIONS, TRACE) unless there is a specific, legitimate need for them. Use a Web Application Firewall (WAF) or network-level intrusion detection system to monitor for suspicious activity related to unconventional methods. Implement strict access control checks on all endpoints that do accept non-standard methods. Regularly review server and application logs for attempts to exploit unused HTTP methods, and perform routine security testing to ensure that newly introduced methods do not unintentionally open attack surfaces.

References

Severity

Owasp

Code: A01:2021

Category: Broken Access Control

Classification