For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Parveez_70209's avatar
Parveez_70209
Icon for Nimbostratus rankNimbostratus
Aug 09, 2014

Vulnerability "" Web server allows HTTP method DELETE"

Keeping in mind that GET and POST methods are used to request information from a web server, but as the HTTP protocol allows several others including HEAD, PUT, DELETE, TRACE, OPTIONS, and CONNECT.Some of these can cause potential security risks also right ?

 

So, can we try something like this which will even include our triggered vulnerability " Web server allows HTTP method DELETE" :

 

Hi Team,

 

Can the below Irule can be used to mitigate the Vulnerability:" Web server allows HTTP method DELETE"

 

when RULE_INIT { set sec_http_methods [list "CONNECT" "DELETE" "HEAD" "OPTIONS" "PUT" "TRACE"] }

 

when HTTP_REQUEST { if { [matchclass [HTTP::method] equals $::sec_http_methods] } { reject } }

 

Thanks and Regards Parveez

 

3 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2014

    Hi Parveez,

     

    Yes it can and the rule you posted can block the methods to be used.

     

  • Parveez_70209's avatar
    Parveez_70209
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2014

    Hi,

     

    Thanks for coss-checking, but will it impact regular traffic or will it cause any issue ?

     

    Thanks and Regards Parveez

     

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Aug 10, 2014

    It's going to cause issues, if your website uses any one of these methods to function. Outside of that I don't believe so.