Multiple HTTP Methods (Verbs) Exposure

[nathanawmk]

Hello! I refer to Pull Request https://github.com/OWASP/API-Security/pull/28 to include 0xa10-multiple-verbs-exposure.md

There is an urgency to include this as many APIs are woefully vulnerable to this vulnerability. Please let me know when we can merge this to the master branch?

_By default, APIs do not restrict/limit the HTTP Verbs/Methods by which they can be accessed. In rare occasions, depending on how secure the server was or is setup, a sophisticated attacker may be able to use HEAD to leak information/secrets on the server.

API developers should ensure that APIs they build can only be accessed by the prescribed and specified HTTP verbs. All other verbs should not be permitted.

Nathan Aw (Singapore)_

[PauloASilva]

Hi @nathanawmk,

I understand your point, nevertheless there's no space in the Top 10 for a dedicated category, at least in the 2019 version.

This is addressed as a security misconfiguration: please check API7:2019 Security Misconfiguration. May be we can add your recommendation to the "How to Prevent" section.

What do you think?

Cheers, Paulo A. Silva

[nathanawmk]

Hi @PauloASilva

Sure. Yes, this needs to be added as recommendation to the "How to Prevent." Please do!

Regards,

Nathan Aw