Disable HTTP Methods

UnderFenex · November 22, 2020, 11:07pm

Hi!

I’m doing some security analysis over my phoenix app, and It’s recommending to disable some HTTP methods (OPTIONS, TRACK, CUSTOM). I’m using Cowboy webserver, is there a way to disable them an make my webserver more compliant?

hauleth · November 23, 2020, 12:34am

What you mean by “disable them”?

UnderFenex · November 23, 2020, 12:55am

Hi @hauleth, I mean, that if the server receives this methods, they should be discarderd or something equivalent, in order to be PCI DSS Compliance. Is there a way to achieve this?

benwilson512 · November 23, 2020, 2:26am

Isn’t OPTIONS required for preflight scenarios?

Regardless, you can trivially add a Plug to your endpoint.ex module that checks the HTTP method and, if it’s on your disallow list, you can return whatever status code you like and halt.

msantoshdora · February 9, 2023, 7:01am

Yes, but it exposes a vulnerability - it grants a potential attacker a little bit of help and it can be considered a shortcut to find another hole. Vulnerable OPTIONS Method Vulnerability | OWASP Top 10 Security Testing | Top Web App Security Testing Services Firm| cyber security whitepapers | Pune Mumbai Hyderabad Delhi Bangalore Ahmedabad Kolkata India Dubai Bahrain Qatar Kuwait Singapore Australia USA UK Germany Croatia Botswana Mauritius

benwilson512 · February 9, 2023, 11:41am

This website is simply wrong. It says:

OPTIONS is a diagnostic method which is mainly used for debugging purpose. This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.

This is simply inaccurate. It’s main use is not debugging, it’s to support CORS requests. CORS is a perfectly legitimate use case Cross-Origin Resource Sharing (CORS) - HTTP | MDN. This is incredibly common when making requests to APIs from javascript.

msantoshdora · February 23, 2023, 6:51am

To disable any HTTP method, we can add a plug for the same in endpoint.ex.

Mentioning some code for future reference for someone.

defmodule MyApp.Plug.DisableHttpMethods do
  @moduledoc """
  This plug disallows the OPTIONS, TRACK and CUSTOM methods request.
  """
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    if conn.method == "OPTIONS" or conn.method == "TRACK" or conn.method == "CUSTOM" do
      conn
      |> send_resp(:method_not_allowed, "")
      |> halt()
    else
      conn
    end
  end
end

And finally add it to endpoint.ex

plug MyApp.Plug.DisableHttpMethods

Hope this answers your question.

BartOtten · February 23, 2023, 8:56pm

It seems utterly bull to recommend disabling OPTION. For but the sake of assureance I just asked my colleague who is a world known ethical hacker. Will get to this tomorrow

BartOtten · February 23, 2023, 9:53pm

The follow up: That’s what he said

Also: the title of the linked page already shows the quality of the source….

BartOtten · February 24, 2023, 10:01am

Final and conclusive:

CORS is splendid and OPTIONS is required for it.
hackers do not use OPTIONS to sniff
there is no need to disable HTTP methods

benwilson512 · February 24, 2023, 3:04pm

Thanks for the resources @BartOtten. I think we can probably let this thread rest at this point.