3

I have just run a security scan against an API in development using Secure PRO. It has flagged a potential vulnerability on a few methods because the HTTP Patch verb is available.

I understand that PATCH seem to update resources if they don't exist. Assuming that the API implements authentication correctly and ensures you own a resource before updating any data, is there anything intrinsically insecure about the HTTP PATCH verb or should it be disallowed?

iainpb
  • 4,142
  • 2
  • 16
  • 35
  • it depends on what handlers respond to the request. Patch is fairly new compared to other methods, and it's not commonly used. If you don't need it, it won't hurt to disable it. If you do need it as some part of a tool, as long as that tool is maintained, it carrys the same risk and reward as any other verb. – dandavis Jan 11 '17 at 18:09

1 Answers1

6

No, there is no inherent security risk that comes with handling the PATCH verb.

Your browser doesn't apply different security policies to PATCH than to PUT or DELETE. Instead, the security impact depends on the server's implementation of the method.

As a more general rule, you should keep the attack surface as small as possible and disable unneeded methods.

See also: How to exploit HTTP Methods

Arminius
  • 43,922
  • 13
  • 140
  • 136