About insecure HTTP OPTIONS method or "OPTIONS *" request
Article ID: 270009
Updated On:
Products
Issue/Introduction
following issue in the APPScan report
"Insecure "OPTIONS" HTTP Method Enabled"
Reasoning: The Allow header revealed that hazardous HTTP Options are allowed, indicating that WebDAV is enabled on the server
Cause: The web server or application server are configured in an insecure way
Fix: Disable WebDAV, or disallow unneeded HTTP methods
Environment
Release : 10.1
Resolution
1. The "OPTIONS *" request
The "OPTIONS *" request can be sent by a special curl command to target the wildcard resource, ie. it targets the host itself and not any particular resource(need curl 7.55.0 or later),
For example:
curl -v -k -i --request-target "*" -X OPTIONS https://<gatewayip>:<port>/<anypath>
Referencing RFC: https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.7
An OPTIONS request with an asterisk ("*") as the request-target (Section 5.3 of [RFC7230]) applies to the server in general rather than to a specific resource. Since a server's communication options typically depend on the resource, the "*" request is only useful as a "ping" or "no-op" type of method; it does nothing beyond allowing the client to test the capabilities of the server. For example, this can be used to test a proxy for HTTP/1.1 conformance (or lack thereof).
There is no explicit rules to block OPTIONS * on the general server host. The APPScan result is a false positive -- the gateway returned 200 OK and some allowed methods, then APPScan thought the WEBDAV is enabled on the server. But in fact, Gateway does not expose webdav by default.
Hence this alert can be ignored, based on the RFC and the fact that Gateway does not run WebDAV.
2. The normal OPTIONS request on a specific resource.
The normal HTTP OPTIONS method can be disabled on service properties of the API,
Policy manager > right click a published service (on left bottom panel) > select "Service Properties" > click [HTTP/FTP] tab > in "Allowed HTTP Methods" section, uncheck the OPTIONS method, shown as below,
NOTE:
1. The HTTP OPTIONS method is disabled by default when publish a new web API on the gateway, if you see it's enabled for an API, then it should be done on purpose, double check with the API developer before disable it.
2. The HTTP OPTIONS is required for CORS(Cross-Origin Resource Sharing), if the API need CORS preflight check, you cannot disable HTTP OPTIONS, otherwise CORS won't work.
Paticularly, the portal integrated API will need CORS, hence HTTP OPTIONS is enabled for portal API by default.
Additional Information
Feedback
