HTTP PUT Method

  1. Home
  2. VULNERABILITIES

Title:

HTTP PUT method is enabled. This may result in letting malicious user upload malicious content or code to the web server, thus further causing further security compromise.

Vulnerability:

What is HTTP PUT method?
The PUT method requests that the state of the target resource be created or replaced with the state defined by the representation enclosed in the request message payload. .i.e. HTTP PUT method makes another asset or replaces a representation of the target asset with the new request payload at the origin of server.
PUT /root.html HTTP 1.1

The PUT method demands that the attached file be put under the provided URL. In the event that the URL points to an already existing file, the attached file shall be considered as an modified version of the one present on the server. On the off chance that the URL does not point to a current file, and that URL is capable for being characterized as another file by requesting user agent, the server can make the file with that URL.
PUT /root.html HTTP 1.1
Host: test.com
Content-Type: text/html
Content-length: 30

<p> file via PUT method <p>

Verification of vulnerability:

If HTTP PUT request gives response as ?201 Create? then file in PUT request was successfully created on specified URI.
If HTTP PUT request gives response as ?200 OK? then file in PUT request was successfully modified on specified URI if it was in accordance with the file type present on server.

Solution:

To disable HTTP PUT in Apache:
RewriteCond %{REQUEST_METHOD} ^(TRACE|PUT|OPTIONS)
RewriteRule .* - [F]

To disable HTTP PUT in IIS:

  1. Open IIS Manager
  2. Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this)
  3. Double click on ?Request Filtering?
  4. Change to the HTTP Verbs tab
  5. From the Actions pane, select ?Deny Verb?
  6. Insert ?PUT? in the Verb, and press OK to save changes

To disable HTTP PUT in Tomcat:
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

Content Sniffing Header Vulnerability, Admin Interface Externally Open

Content Sniffing Not Disabled

OWASP Top 10 Security Testing, Content Sniffing Not Disabled

Session Cookie Found Without Secure Flag Set.

Session Cookie Found Without Secure Flag Set, Web App Security Testing Services Company

How To Enable Content Sniffing?

How To Enable Content Sniffing?, Content Sniffing Header Vulnerability

Clickjacking: X-Frame-Options Header Missing

OWASP Top 10 Security Testing , Clickjacking: X-Frame-Options Header Missing

Error Page Discloses Web Server Version

Web App Security Testing Services Company, Clickjacking: X-Frame-Options Header Missing

Error Page Discloses Web Server Version

Error Page Discloses Web Server Version, Content Sniffing Header Vulnerability

How To Disable Web Dav Extensions?

Error Page Discloses Web Server Version, OWASP Top 10 Security Testing

How To Configure Access-Control-Allow-Origin Header?

Web App Security Testing Services Company, How To Disable Web Dav Extensions?

How To Disable Custom Errors At Webroot?