search

GSA / ai-experience-sharing-platform

This is the source code for the CoE AI Platform (Use Case Library and other content).
Other
11 stars 2 forks source link

Finding: Insecure HTTP Method –PUT #341

Open danielnaab opened 3 years ago

danielnaab commented 3 years ago

This method was originally intended for file managemant operations. It is now most commonly used in REST services, PUT is most-often utilized for update capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.

Recommendation: Disable insecure methods such as DELETE, TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods.

This finding involves considering if the PUT usage in Strapi is safe, and remediating if not (like #340).

rrkane10x commented 3 years ago

Not a big issue. Need to address that this is an acceptable practice. Requires justification back to pentesting analyst.