Insecure Design

Risky HTTP Methods Allowed Discovered



HTTP (Hypertext Transfer Protocol) is a protocol used in communication between web browsers and servers. HTTP methods are used to tell the server what kind of action a client (usually a web browser) wants to take. The most widely known HTTP methods are GET, POST, PUT, and DELETE.

However, some HTTP methods can be risky in terms of security. For example, PUT and DELETE methods are used to modify or delete files or resources on the server. Misconfigured or unauthorized use of these methods can cause malicious people to make unwanted changes to the target system or cause data loss. When an attacker detects that the server supports risky HTTP methods, they can perform attacks by abusing these methods.


Enabling risky HTTP methods without proper security measures exposes the website or web application to various risks, including:
Potential data integrity issues: Attackers may exploit insecure HTTP methods to modify or delete data within the application.
Unauthorized access to sensitive data: Insecure HTTP methods can grant unauthorized individuals access to sensitive information or functionalities.


To mitigate the risks associated with allowing risky HTTP methods, consider implementing the following measures:
Disable risky HTTP methods: If the website or web application does not require the use of risky HTTP methods, disable them entirely to eliminate potential attack vectors.
Secure risky HTTP methods: If the application necessitates the use of risky HTTP methods, ensure they are properly secured by implementing access controls, input validation, and encryption.
Employ a Web Application Firewall (WAF): A WAF can help identify and block malicious requests that exploit risky HTTP methods, thereby providing an additional layer of protection.
Stay updated with security best practices: Regularly review and update the security measures of the website or web application to address emerging threats and vulnerabilities.





Start Your Free Trial Now!

The 30-day free trial of ThreatMon allows users to explore the product's security benefits. During this trial period, you can test Threat Intelligence data, detect threats to your organization and recommend security measures.

Start Free Trial