11

When browsing the OWASP security recommandations for file uploads, I ticked reading the following :

Try to use POST method instead of PUT (or GET!)

I don't see how one method is better than another from security perspective. Could someone shed light on this advice?

Zenklys
  • 213
  • 2
  • 5
  • 5
    Security aside, you should use POST when creating and PUT when updating a resource. This is a good post on stack overflow http://stackoverflow.com/questions/630453/put-vs-post-in-rest those OWASP guidelines really coudl provide more info there! – iainpb Jan 18 '17 at 17:15
  • Here is a reason *for* PUT: You can't use it cross-domain without CORS which makes CSRF more difficult. – Arminius Jan 18 '17 at 17:28

3 Answers3

6

TL;DR: PUT is not supported by a good deal of things. Sometimes it is only available as an extension, and enabling extensions increase your attack surface.


@iain is correct in comment that the SO question PUT vs POST in REST is relevant here. From the RESTfulness point of view PUT is fine for updating or even overwriting a file.

Yet, if you argue from the security standpoint the original HTML forms never did support PUT, only GET and POST. A lot of info about this can be found on Are the PUT, DELETE, HEAD, etc methods available in most web browsers?, although some info there is obsolete and some links are dead. So I'll summarize it here:

HTML

AJAX supports GET, POST, PUT and even DELETE. But the common form in a browser doesn't. HTML5 did add support to PUT and DELETE in its drafts versions, but neither PUT or DELETE can be found in the current definition of HTML5 infrastructure. In other words, browsers have no obligation to understand <form method="PUT"> to conform to HTML5.

Webservers

Both Apache and Nginx use PUT and DELETE as WebDAV extensions. If you want to harden your webserver one thing you often do is to compile it without the WebDAV extensions. Adding extensions is increasing attack surface.

We frameworks on the other hand often do not support PUT. Or, more commonly, simply use the same function to process POST and PUT, making the use of the PUT verb really the same as POST.


So yeah, the OWASP guideline makes some sense. Although I would rewrite it as: "If you are implementing full REST use PUT, if you aren't use POST because it is more widely supported".

grochmal
  • 5,677
  • 2
  • 19
  • 30
1

I don't think this should be on the list, but as a guess they put this point up because this is the best and RESTful way to do file uploads without side effects*. To be honest I haven't seen anyone doing PUT. I have seen GET, but they were like first time php scripts.

Let's put PUT aside for a sec. If you compare POST to GET, POST is more hidden from the user perspective as it doesn't get appended to the visible URL.

If you send other data along with the file, it would be more likely to be visible to the user that could manipulate it. This, however, does not make it less or more secure, because you should never trust client input anyways.

*: browsers might truncate long URI strings for example

Rápli András
  • 2,124
  • 11
  • 24
0

I think the security concern about PUT comes from the WebDAV protocol where a PUT request allows you to specify the path the file should be uploaded to. And if the server doesn't enforce proper restrictions on the path, this may allow an attacker to overwrite important files.