Description

The configuration file (web.config) of this web application contains a Location section that appears to be vulnerable to HTTP verb tampering. One of more Location sections contains a verbs property. That is insecure as it can be bypassed using any other HTTP method that is not listed in the value of this property. It's recommended to just remove the verbs property, this will make the security constrain apply to all HTTP methods. This is an example of a vulnerable configuration:

<location path="Admin.aspx">
        <system.web>
                <authorization>
                        <allow verbs="GET" users="admin" />
                        <deny verbs="POST,GET" users="*" />
                </authorization>
        </system.web>
</location>

Remediation

It's recommended to just remove the the verbs property. This is an example of a safe configuration:

<location path="Admin.aspx">
        <system.web>
                <authorization>
                        <allow users="admin" />
                        <deny users="*" />
                </authorization>
        </system.web>
</location>

References

Related Vulnerabilities