-3

Here I am new to insecure HTTP Methods Enabled.

The server allows HTTP methods that are considered dangerous. The following methods were enabled: PUT,DELETE

Software used: Apache-tomcat-6.0.29.

  1. How to reproduce the same?
  2. How to fix this problem/issue?
Danny.
  • 1,015
  • 9
  • 16
Ramakrishnan M
  • 101
  • 1
  • 1
  • 1
  • May have a look at: http://stackoverflow.com/questions/320959/disabling-put-trace-delete-request-in-apache-tomcat-6-0 or for whitelist: http://serverfault.com/questions/662548/disallowing-http-methods-on-tomcat-is-case-sensitive – Danny. Jun 18 '15 at 06:23
  • how to reproduce this HTTP Methods Enabled or not. @danny – Ramakrishnan M Jun 18 '15 at 06:58
  • 2
    What do you want to reproduce? Do you want to test the HTTP Methods? Then simply create an HTTP Request (Tools on internet or have a look at the posted questions). Would be great if you show a bit more effort (Improve Quality of your question, make clear what you want). Otherwhise the community will not give you enough attention. – Danny. Jun 18 '15 at 07:00
  • 1
    In case you use (FULL) REST API's, the PUT and DELETE methods should be enabled. It's recommended to only have these method enabled at a specific endpoint such as http://..../api/ – Jeroen Jun 18 '15 at 10:42

1 Answers1

3
  1. How to reproduce the same?

There are multiple answers on this site for exactly that question. Typing HTTP method into the Search box pulls up:

  1. How to fix this problem issue?

Under Tomcat, you can disable specific methods via the web.xml configuration file:

 <security-constraint>
 <web-resource-collection>
  <web-resource-name><strong>restricted methods</strong></web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>PUT</http-method>
  <http-method>POST</http-method>
  <http-method>DELETE</http-method>
  <http-method>OPTIONS</http-method>
  <http-method>TRACE</http-method>
 </web-resource-collection>
 <auth-constraint />
 </security-constraint>

As @Danny points out in the comments, you may want a whitelist rather than a blacklist, and here's a Tomcat 7 example. Here's an alternative for Tomcat 6.

That being said, a blacklist is often sufficient for HTTP methods because:

  • There's a reasonably static/unchanging list of what's supported,
  • Unsupported methods are generally quietly dropped by any competent web server

That said, if the report of Tomcat being case sensitive is true, a whitelist would be the appropriate way to compensate for crappy software.

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • 1
    Well, from Security point of view he should do "whitelisting" not "blacklisting". Disable everything and only allows "accepted" methods like: http://serverfault.com/questions/662548/disallowing-http-methods-on-tomcat-is-case-sensitive . – Danny. Jun 18 '15 at 10:38