Forum Discussion
NimbostratusAlertLogic Vulnerability : "" Web Server Allows cross-Site Tracing"" : Suggestion Needed
Hi Team,
Keeping in mind that GET and POST methods are used to request information from a web server, but as the HTTP protocol allows several others including HEAD, PUT, DELETE, TRACE, OPTIONS, and CONNECT.Some of these can cause potential security risks also right ?
So, can we try something like this which will even include our triggered vulnerability " Web server allows HTTP method DELETE" :
when RULE_INIT { set sec_http_methods [list "CONNECT" "DELETE" "HEAD" "OPTIONS" "PUT" "TRACE"] }
when HTTP_REQUEST { if { [matchclass [HTTP::method] equals $::sec_http_methods] } { reject } }
Thanks and Regards PZ
4 Replies
THis iRule can block these methods but a few adjustments are needed:
1) matchclass is a old, with version 11.x you should use [class match ...] 2) [matchclass ] or [class match ..] do not work on TCL lists or arrays , they operate on BigIP datagroups. Create a "String" based datagroup and reference it in the irule. 3) Rather than listing the disallowed methods, the allowed list is shorter.ltm data-group internal /Common/allowed_http_methods { records { "GET" "POST" } type string } ltm rule only_allowed_nethods { when HTTP_REQUEST { if { not ( [class match [HTTP::method] equals /Common/allowed_http_methods] ) } { reject } } }HTH
Parveez_70209Hi John,
ok so apart from GET and POST, it will reject others right, and whether it will create any issues or disruption in regular WEB traffic.
Thanks and Regards PZ
Parveez:
This will not do anything to any request where the Method is included in the datagroup.
If you capture the requests on the browser side using Fiddler or HTTPwatch or similar tools, you will be able to tell if there are any other HTTP Methods you may want to allow.
HTH.
- Parveez_70209
Ok John, thank you so much for your earnest suggestion. Will do so.
Thanks and Regards Parveez
