Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disable HTTP OPTIONS, TRACE, HEAD, COPY and UNLOCK methods in IIS

Tags:

For security reasons I want to disable those methods through application level so I have this web.config file:

<configuration>     <location path="index.php">     <system.webServer>                 <directoryBrowse enabled="false" />     </system.webServer>      <system.web>         <authorization>             <deny verbs="OPTIONS" users="*" />             <deny verbs="TRACE" users="*" />             <deny verbs="HEAD" users="*" />             <deny verbs="PROPFIND" users="*" />             <deny verbs="COPY" users="*" />             <deny verbs="LOCK" users="*" />             <deny verbs="UNLOCK" users="*" />             <deny verbs="PROPPATCH" users="*" />             <deny verbs="MKCOL" users="*" />             <deny verbs="MOVE" users="*" />             <deny verbs="DELETE" users="*" />         </authorization>     </system.web>    </location> </configuration> 

But this didn't work - any ideas?

like image 650
Samy Massoud Avatar asked Aug 26 '12 15:08

Samy Massoud


People also ask

How do you fix insecure HTTP methods?

How to fix “Insecure HTTP Method” Enable only HTTP methods on your web server which are necessary for your application to run. Use only GET and POST methods for all HTTP requests where possible.

Is HTTP options a security vulnerability?

This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.


2 Answers

Finaly I found another answer for this problem. and this is working for me. Just add below datas to the your webconfig file.

<configuration>  <system.webServer>   <security>    <requestFiltering>     <verbs allowUnlisted="true">      <add verb="OPTIONS" allowed="false" />     </verbs>    </requestFiltering>   </security>  </system.webServer> </configuration> 

Form more information, you can visit this web site: http://www.iis.net/learn/manage/configuring-security/use-request-filtering

if you want to test your web site, is it working or not... You can use "HttpRequester" mozilla firefox plugin. for this plugin: https://addons.mozilla.org/En-us/firefox/addon/httprequester/

like image 156
Mahmut EFE Avatar answered Oct 16 '22 23:10

Mahmut EFE


This worked for me but only after forcing the specific verbs to be handled by the default handler.

<system.web> ...   <httpHandlers>   ...      <add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>     <add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>     <add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/> 

You still use the same configuration as you have above, but also force the verbs to be handled with the default handler and validated. Source: http://forums.asp.net/t/1311323.aspx

An easy way to test is just to deny GET and see if your site loads.

like image 45
BrutalDev Avatar answered Oct 17 '22 00:10

BrutalDev