Disable HTTP Methods

Hi!

I’m doing some security analysis over my phoenix app, and It’s recommending to disable some HTTP methods (OPTIONS, TRACK, CUSTOM). I’m using Cowboy webserver, is there a way to disable them an make my webserver more compliant?

What you mean by “disable them”?

Hi @hauleth, I mean, that if the server receives this methods, they should be discarderd or something equivalent, in order to be PCI DSS Compliance. Is there a way to achieve this?

Isn’t OPTIONS required for preflight scenarios?

Regardless, you can trivially add a Plug to your endpoint.ex module that checks the HTTP method and, if it’s on your disallow list, you can return whatever status code you like and halt.

4 Likes

Yes, but it exposes a vulnerability - it grants a potential attacker a little bit of help and it can be considered a shortcut to find another hole. Vulnerable OPTIONS Method Vulnerability | OWASP Top 10 Security Testing | Top Web App Security Testing Services Firm| cyber security whitepapers | Pune Mumbai Hyderabad Delhi Bangalore Ahmedabad Kolkata India Dubai Bahrain Qatar Kuwait Singapore Australia USA UK Germany Croatia Botswana Mauritius

This website is simply wrong. It says:

OPTIONS is a diagnostic method which is mainly used for debugging purpose. This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.

This is simply inaccurate. It’s main use is not debugging, it’s to support CORS requests. CORS is a perfectly legitimate use case Cross-Origin Resource Sharing (CORS) - HTTP | MDN. This is incredibly common when making requests to APIs from javascript.

5 Likes

To disable any HTTP method, we can add a plug for the same in endpoint.ex.

Mentioning some code for future reference for someone.

defmodule MyApp.Plug.DisableHttpMethods do
  @moduledoc """
  This plug disallows the OPTIONS, TRACK and CUSTOM methods request.
  """
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    if conn.method == "OPTIONS" or conn.method == "TRACK" or conn.method == "CUSTOM" do
      conn
      |> send_resp(:method_not_allowed, "")
      |> halt()
    else
      conn
    end
  end
end

And finally add it to endpoint.ex

plug MyApp.Plug.DisableHttpMethods

Hope this answers your question.

1 Like

It seems utterly bull to recommend disabling OPTION. For but the sake of assureance I just asked my colleague who is a world known ethical hacker. Will get to this tomorrow :slight_smile:

2 Likes

The follow up: That’s what he said

Also: the title of the linked page already shows the quality of the source….

1 Like

Final and conclusive:

  • CORS is splendid and OPTIONS is required for it.
  • hackers do not use OPTIONS to sniff
  • there is no need to disable HTTP methods

Thanks for the resources @BartOtten. I think we can probably let this thread rest at this point.