Application accepts arbitrary methods
search cancel

Application accepts arbitrary methods


Article ID: 94901


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


It has been observed that the OPTIONS http method is accepted by  application.

Using Burpsuite, craft a request using the OPTIONS HTTP method. It can be seen that the method has been enabled on the server and gives us the list of other methods enabled on the server.


All Versions of SSG


The OPTIONS method only tells you which methods are available. Its not a vulnerability as much as its a shortcut to trying out all the methods one by one. As long as we have TRACE disabled, we are fine.