I'm running a web server with Apache http server in front of an Apache Tomcat server.
My goal: Disable http-methods DELETE
and PUT
on the web server.
According to OWASP (https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)) this should be tested with this command:
nmap -p 80 --script http-methods www.example.com
On my server I get this response:
PORT STATE SERVICE
80/tcp open http
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
According to http://www.techstacks.com/howto/disable-http-methods-in-tomcat.html I can disable PUT and DELETE with this lines in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
If I add this, my response still is Supported Methods: GET HEAD POST PUT DELETE OPTIONS
.
If I additionally disable the http-method OPTIONS
with adding <http-method>OPTIONS</http-method>
to the web.xml, then I get this good looking response:
80/tcp open http
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
The same happens, if I try to disable that http-methods in the Apache web server which actually is in front of the tomcat. see: http://www.techstacks.com/howto/disable-http-methods-in-apache.html
What I want:
- Disable
PUT
andDELETE
- Don't disable
OPTIONS
nmap -p 80 --script http-methods www.example.com
should response, thatDELETE
andPUT
are disabled
Best Answer
The script is sending an
OPTIONS
request and reporting the results. This reports what methods the server software supports. Your security configuration is not changing what methods Tomcat understands; it is adding a security constraint that those methods are only allowed for users who meet theauth-constraint
condition, which in this case contains no users. So Tomcat is being truthful: it does understandPUT
andDELETE
, even if nobody is allowed to use them.If you want further confirmation, you can add
--script-args http-methods.retest
to your command. This will instruct the script to send a request with each of the discovered methods and report the status code of the response. But be careful: this will result in sending requests likeDELETE /
, which can be harmful.