While the most well-known HTTP methods including HEAD, GET, POST and CONNECT are often essential to the functioning of a web application and safe, some lesser-known HTTP methods can create vulnerabilities. These include PUT and DELETE, which can open up the file system to remote access on misconfigured systems, and the debugging methods such as TRACK, TRACE, OPTIONS, and DEBUG which can help attackers to compromise sensitive data from sessions such as cookies. The TRACK and TRACE methods, in particular, can be used in cross-site tracing (XST) attacks to steal cookies, even those marked with the HttpOnly flag.
While the most well-known HTTP methods including HEAD, GET, POST and CONNECT are often essential to the functioning of a web application and safe, some lesser-known HTTP methods can create vulnerabilities. These include PUT and DELETE, which can open up the file system to remote access on misconfigured systems, and the debugging methods such as TRACK, TRACE, OPTIONS, and DEBUG which can help attackers to compromise sensitive data from sessions such as cookies. The TRACK and TRACE methods, in particular, can be used in cross-site tracing (XST) attacks to steal cookies, even those marked with the HttpOnly flag.
Severity: Informational
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS Score: 0.0
Recommendation: Disable all HTTP methods not in use by the web application.