Insecure HTTP Method

This means that some of the HTTP methods considered as insecure (OPTIONS, TRACE, etc.) are enabled on your web server, allowing additional functionality which can be used by an attacker to perform further attacks. These attacks can possibly affect the environment and its users.

Possible impact through insecure methods:

PUT: The attacker may upload malicious files to your server

DELETE: The attack may cause deleting of application files or denial of service

CONNECT: The attacker may use your server as proxy in order to attack any third-party applications.

TRACE: The attacker can perform cross site tracing attack

Enable only HTTP methods on your web server which are necessary for your application to run. Use only GET and POST methods for all HTTP requests where possible.

If you need any insecure HTTP methods to be enabled on your server, make sure they are properly authorized and available only for specific resources. This way you’ll prevent any malicious usage of those.

ScanRepeat looks for known insecure HTTP methods enabled for the URL. Note that HTTP methods can be enabled for individual URLs rather than just at host level. ScanRepeat reports every occurrence of such a vulnerability providing the URL and insecure HTTP method found.