This article is a part of our Web Security Knowledge Base (back to index)

Why “Insecure HTTP Method” can be dangerous

This means that some of the HTTP methods considered as insecure (OPTIONS, TRACE, etc.) are enabled on your web server, allowing additional functionality which can be used by an attacker to perform further attacks. These attacks can possibly affect the environment and its users.

Possible impact through insecure methods:

PUT: The attacker may upload malicious files to your server

DELETE: The attack may cause deleting of application files or denial of service

CONNECT: The attacker may use your server as proxy in order to attack any third-party applications.

TRACE: The attacker can perform cross site tracing attack

How to fix “Insecure HTTP Method”

Enable only HTTP methods on your web server which are necessary for your application to run. Use only GET and POST methods for all HTTP requests where possible.

If you need any insecure HTTP methods to be enabled on your server, make sure they are properly authorized and available only for specific resources. This way you’ll prevent any malicious usage of those.

How does ScanRepeat report “Insecure HTTP Method”

ScanRepeat looks for known insecure HTTP methods enabled for the URL. Note that HTTP methods can be enabled for individual URLs rather than just at host level. ScanRepeat reports every occurrence of such a vulnerability providing the URL and insecure HTTP method found.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free