high Web Vulnerabilities

Dangerous HTTP Methods Enabled

The server allows dangerous HTTP methods (PUT, DELETE, TRACE, CONNECT, WebDAV) that can be abused for file upload, deletion, or cross-site tracing.

Severity
high
Time to Fix
15 minutes
Difficulty
easy
OWASP
A05:2021 — Security Misconfiguration

What is Dangerous HTTP Methods Enabled?

HTTP methods like PUT (upload files), DELETE (delete files), TRACE (reflect requests — enables XST), and CONNECT (open proxy) should be disabled on production web servers unless explicitly needed. TRACE in particular enables Cross-Site Tracing (XST), which can steal HttpOnly cookies.

Why It Matters to Your Business

Enabled PUT/DELETE methods can allow attackers to upload web shells or delete critical files. TRACE enables XST attacks that bypass HttpOnly cookie protection. WebDAV methods (PROPFIND, MKCOL) expose additional attack surface.

How to Fix It

Disable dangerous HTTP methods:

Nginx:
  if ($request_method !~ ^(GET|POST|HEAD|OPTIONS)$ ) {
      return 405;
  }

Apache:
  <LimitExcept GET POST HEAD OPTIONS>
    Require all denied
  </LimitExcept>

Apache (disable TRACE):
  TraceEnable off

IIS (web.config):
  <system.webServer>
    <security>
      <requestFiltering>
        <verbs>
          <add verb="TRACE" allowed="false" />
          <add verb="PUT" allowed="false" />
          <add verb="DELETE" allowed="false" />
        </verbs>
      </requestFiltering>
    </security>
  </system.webServer>

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-650: Trusted HTTP URL Leaves Door Open
Detected Byhttp_methods scanner(s)
Severity Levelhigh

How 2MNY Security Can Help

Check if your website has this vulnerability

Our http_methods scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities