[PENETRATION TEST] Drupal Developer Portal On-Premise -> HTTP Verb Tampering

balakumarm
Participant I

We have the following finding in our pen test. As mentioned in the recommendations, can we disable all non-GET and POST verbs? Will there be any impact?

Implications:

HTTP Verb Tampering - Some of these methods can potentially pose a security risk for a web application, as they allow an attacker to modify the files stored on the web server and, in some scenarios, steal the credentials of legitimate users.

Recommendations:

The solution is to disable all non-GET or POST functionality within the web application server, or in a web application firewall.
If methods such as HEAD or OPTIONS are required for your application, this increases the burden of testing substantially. Each action within the system will need to be verified that these alternate methods do not trigger actions without proper authentication or reveal information about the contents or workings web application. If possible, limit alternate HTTP method usage to a single page that contains no user actions, such the default landing page (example: index.html).

References

@Anil Sagar @ Google

Solved Solved
0 1 433
1 ACCEPTED SOLUTION

Looks like you would need an nginx directive limit_except: http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except

The docs do note that allowing GET also enables HEAD though.

View solution in original post

1 REPLY 1

Looks like you would need an nginx directive limit_except: http://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except

The docs do note that allowing GET also enables HEAD though.