2

Block http HEAD requests helps us to solidify the safety rules for a Apache webserver or this restriction would be an exaggerated?

What kind of vulnerability can be exploited by HEAD method?

Tests:

lynx --dump --head http://www.terra.com.br

HTTP/1.1 200 OK Server: nginx Date: Wed, 16 Jul 2014 14:44:35 GMT Content-Type: text/html;charset=UTF-8 Content-Length: 0 Connection: close Vary: Accept-Encoding X-Cache-Status: HIT Content-Language: pt-BR X-Ua-Level: Set-Cookie: prisma=WEB-20; path=/; domain=.terra.com.br Set-Cookie: prisma=WEB-20; path=/; domain=.terra.com.br Age: 0 Vary: Accept-Encoding, X-UA-Device, X-prisma X-Device-Type: web X-Xact-Hosts: montador=1sh X-Xact-Uuid: be9ef8c3-163a-40af-8472-0982226424e1 X-Ua-Compatible: IE=Edge Cache-Control: no-cache X-Ua-Device: Lynx/2.8.8rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1g Set-Cookie: X-XAct-ID=da20bbf3-3a14-4d86-a23b-6fe36f5adae9; Domain=terra.com.br; expires=Wed, 31 Dec 2036 00:00:00 GMT; Path=/ Set-Cookie: novo_portal=1; Domain=terra.com.br; expires=Mon, 01 Sep 2014 00:00:0 0 GMT; Path=/

$ lynx --dump --head http://www.myserver.com.br

HTTP/1.1 403 Forbidden Date: Wed, 16 Jul 2014 14:44:44 GMT Server: Apache Last-Modified: Tue, 01 Apr 2014 05:28:27 GMT Accept-Ranges: bytes Content-Length: 4874 Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html

UPDATED:

The answer of the GET method is also applicable to TRACE, DELETE OR TRACK methods?

Apache conf:

RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule .? - [F]
gpupo
  • 319
  • 1
  • 3
  • 8

2 Answers2

3

"Does doing X improve the security of my system?" -- this is a bad way to approach these issues.

"Does doing X improve the security of my system enough to justify the costs?" -- is the right question to ask.

Does blocking HEAD requests improve the security? Yes, by about .01%. Flaws in the code that handles HEAD requests would be harder (or impossible) to reach with requests.

But… the costs of blocking HEAD requests outweigh the benefits in most cases. Increased traffic to your servers, time to implement, slows down troubleshooting, etc. Making one change like this isn't a big deal but if you make 50 changes that take 30 minutes and minimize your risk by .01% then you've spent 24 hours for a .5% improvement. There are probably better uses for your time.

u2702
  • 2,086
  • 10
  • 11
-1

Using the HEAD command in telnet against a web server allows a potential attacker to conduct reconnaisance against your web server.

Amongst other things the response can reveal what web server you are using and what technologies such as PHP or ASP, possibly with version numbers. The attacker could then use this to go and do some enumeration, which is the process of matching up products and versions with known vulnerabilities.

So you cannot directly exploit a vulnerability with a HEAD request, but it can give an attacker valuable information.

I'm not sure stopping HEAD requests is actually possible, as this is something a browser will need to do to retrieve web content. A better alternative would be to alter your config files to ensure that they do not report version numbers.

TimC
  • 552
  • 5
  • 12
  • Thanks @TimC. I do the lock on my servers. The answer is given as 403 in requests. See the examples that I entered into my question? Do you consider this block as irrelevant? – gpupo Jul 16 '14 at 14:48
  • 4
    This is pointless. The information an attacker will receive is exactly the same as they would receive from a GET request. You're only inflicting pain on yourself by increasing your bandwidth costs/requirements. – Xander Jul 16 '14 at 15:02