Security Basics mailing list archives
Re: HTTP Method?
From: Kerbl Thomas Rudolf <cms00008 () fh-hagenberg at>
Date: Mon, 29 Sep 2003 09:25:28 +0200
----- Original Message ----- From: "SB CH" <chulmin2 () hotmail com> To: <security-basics () securityfocus com> Sent: Friday, September 26, 2003 1:35 PM Subject: HTTP Method?
Hello, all. I heard that some http method like DELETE, TRACE, CONNECT would not be allowed. Which security problem wolud be if one allow these methods in the web server?
well, DELETE obviously may enable an Attacker to wipe your files, if the security settings on your file systems are too weak. I see no good reason, why one would want to enable DELETE anyway. TRACE is a debugging method, after the server config worx for you, you should disable it. It is possible to start an Cross Site Scripting Attack on your webpage. You can find details to this topic in the excellent Whitepaper from WhiteHat Security http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf *hth* --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- HTTP Method? SB CH (Sep 26)
- <Possible follow-ups>
- Re: HTTP Method? Kerbl Thomas Rudolf (Sep 29)