Application accepts arbitrary methods
Article ID: 94901
Updated On:
Products
STARTER PACK-7
CA Rapid App Security
CA API Gateway
Issue/Introduction
It has been observed that the OPTIONS http method is accepted by application.
Using Burpsuite, craft a request using the OPTIONS HTTP method. It can be seen that the method has been enabled on the server and gives us the list of other methods enabled on the server.
Environment
All Versions of SSG
Resolution
The OPTIONS method only tells you which methods are available. Its not a vulnerability as much as its a shortcut to trying out all the methods one by one. As long as we have TRACE disabled, we are fine.
Feedback
Yes
No
Powered by
