Skip to content

Unsafe HTTP Method

What does this mean ?

Safe HTTP methods are methods that are intended to retrieve information from the server without modifying any resources. Unsafe HTTP methods are methods that can potentially modify resources on the server. Allowing both safe and unsafe HTTP methods can create a vulnerability in a web application because it can potentially allow attackers to perform unauthorized actions on the server.

What can happen ?

  • An attacker to modify or delete data on the server, leading to data loss or corruption.
  • An attacker to gain unauthorized access to resources on the server, such as confidential data or sensitive information.
  • An attacker to overwhelm the server with requests, potentially causing a denial of service (DoS) attack and disrupting the availability of the web application.
  • An attacker to inject and execute malicious code on the server, potentially allowing them to take control of the server or steal sensitive data.

Recommendation

  • Configure the web server to only allow the HTTP methods that are necessary for the application to function properly.
  • Implement proper authentication and authorization.
  • Validate user input.
  • Use a web application firewall (WAF)
  • Keep the web application and server software up to date.

Sample Code

Vulnerable :

public class MyController : ApiController
{
    [HttpGet]
    public IHttpActionResult Get()
    {
        // Handle GET requests
        return Ok();
    }

    [HttpPost]
    public IHttpActionResult Post()
    {
        // Handle POST requests
        return Ok();
    }
}

Non Vulnerable :

public class MyController : ApiController
{
    [HttpGet]
    public IHttpActionResult Get()
    {
        // Handle GET requests
        return Ok();
    }
}

Vulnerable :

@RequestMapping("/remove_user")  // Vulnerable
public String remove_user(String username) {
    // handle logic
}

Non Vulnerable :

@RequestMapping("/remove_user", method = RequestMethod.POST)  // Non Vulnerable
public String remove_user(String username) {
    // handle logic
}

Vulnerable :

if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    // Handle GET requests
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // Handle POST requests
} elseif ($_SERVER['REQUEST_METHOD'] === 'PUT') {
    // Handle PUT requests
} elseif ($_SERVER['REQUEST_METHOD'] === 'DELETE') {
    // Handle DELETE requests
}

Non Vulnerable :

if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    // Handle GET requests
}

Vulnerable :

app.get('/', (req, res) => {
    // Handle GET requests
    res.send('Hello, World!');
});

app.post('/', (req, res) => {
    // Handle POST requests
    res.send('Hello, World!');
});

Non Vulnerable :

app.get('/', (req, res) => {
    // Handle GET requests
    res.send('Hello, World!');
});

Vulnerable :

http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
    // Handle GET, POST, PUT, and DELETE requests
    fmt.Fprint(w, "Hello, World!")
})

http.ListenAndServe(":3000", nil)

Non Vulnerable :

http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
    if r.Method == "GET" {
        // Handle GET requests
        fmt.Fprint(w, "Hello, World!")
    }
})

http.ListenAndServe(":3000", nil)

Vulnerable :

get '/' do
    # Handle GET requests
    "Hello, World!"
end

post '/' do
    # Handle POST requests
    "Hello, World!"
end

Non Vulnerable :

get '/' do
    # Handle GET requests
    "Hello, World!"
end

References