Security Basics mailing list archives

Re: HTTP Method?

From: Kerbl Thomas Rudolf <cms00008 () fh-hagenberg at>
Date: Mon, 29 Sep 2003 09:25:28 +0200

----- Original Message ----- 
From: "SB CH" <chulmin2 () hotmail com>
To: <security-basics () securityfocus com>
Sent: Friday, September 26, 2003 1:35 PM
Subject: HTTP Method?

Hello, all.

I heard that some http method like DELETE, TRACE, CONNECT would not be 
allowed.
Which security problem wolud be if one allow these methods in the web 
server?


well, DELETE obviously may enable an Attacker to wipe your files, if the 
security settings on your file systems are too weak. I see no good reason, why 
one would want to enable DELETE anyway.

TRACE is a debugging method, after the server config worx for you, you should 
disable it. It is possible to start an Cross Site Scripting Attack on your 
webpage. You can find details to this topic in the excellent Whitepaper from 
WhiteHat Security
http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf

*hth*

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

HTTP Method? SB CH (Sep 26)
- <Possible follow-ups>
- Re: HTTP Method? Kerbl Thomas Rudolf (Sep 29)