This article is a part of our Web Security Knowledge Base (back to index)
Why “Insecure HTTP Method” can be dangerous
This means that some of the HTTP methods considered as insecure (OPTIONS, TRACE, etc.) are enabled on your web server, allowing additional functionality which can be used by an attacker to perform further attacks. These attacks can possibly affect the environment and its users.
Possible impact through insecure methods:
PUT: The attacker may upload malicious files to your server
DELETE: The attack may cause deleting of application files or denial of service
CONNECT: The attacker may use your server as proxy in order to attack any third-party applications.
TRACE: The attacker can perform cross site tracing attack
How to fix “Insecure HTTP Method”
Enable only HTTP methods on your web server which are necessary for your application to run. Use only GET and POST methods for all HTTP requests where possible.
If you need any insecure HTTP methods to be enabled on your server, make sure they are properly authorized and available only for specific resources. This way you’ll prevent any malicious usage of those.
How does ScanRepeat report “Insecure HTTP Method”
ScanRepeat looks for known insecure HTTP methods enabled for the URL. Note that HTTP methods can be enabled for individual URLs rather than just at host level. ScanRepeat reports every occurrence of such a vulnerability providing the URL and insecure HTTP method found.
Would you like to test your application now against this problem? Sign up for our free trialScan Your Web App Now