Description

This web application is using a security-constraint section that includes a web-resource-collection section with one or more http-method definitions. It's not recommended to use http-method definitions. When listing specific methods in their configuration, developers are actually allowing more access than they intend. It's safer to remove all http-method definitions.

Example vulnerable config:

 
        
          adminres
          /admin/*
          GET
        
        
                admin
        
 
In the example above, an attacker can manipulate the HTTP method and use the HEAD method to access anything in the /admin/*.

Remediation

Remove all http-method definitions from the security-constraint section.

Example safer config:


        
          adminres
          /admin/*
        
        
                admin
        
 

References

Related Vulnerabilities