Description

This web application is using a security-constraint section that includes a web-resource-collection section with one or more http-method definitions. It's not recommended to use http-method definitions. When listing specific methods in their configuration, developers are actually allowing more access than they intend. It's safer to remove all http-method definitions.

Example vulnerable config: 

 
        
          adminres
          /admin/*
          GET
        
        
                admin
In the example above, an attacker can manipulate the HTTP method and use the HEAD method to access anything in the /admin/*.

Remediation

Remove all http-method definitions from the security-constraint section.

Example safer config: 


        
          adminres
          /admin/*
        
        
                admin

References

Http verb tempering: bypassing web authentication and authorization

Related Vulnerabilities

Tornado debug mode

Reverse proxy detected

nginx SPDY heap buffer overflow

SAP Knowledge Management and Collaboration (KMC) incorrect permissions

JSF ViewState client side storage

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Configuration