Tomcat – Apache/Tomcat web server: nmap always returns that all http-methods are allowed

apache-2.4http-methodnmaptomcat

I'm running a web server with Apache http server in front of an Apache Tomcat server.

My goal: Disable http-methods DELETE and PUT on the web server.

According to OWASP (https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)) this should be tested with this command:

nmap -p 80 --script http-methods www.example.com

On my server I get this response:

PORT   STATE SERVICE
80/tcp open  http
| http-methods:
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE

According to http://www.techstacks.com/howto/disable-http-methods-in-tomcat.html I can disable PUT and DELETE with this lines in web.xml

<security-constraint>
     <web-resource-collection>
          <web-resource-name>restricted methods</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>PUT</http-method>
          <http-method>DELETE</http-method>
     </web-resource-collection>
     <auth-constraint />
</security-constraint>

If I add this, my response still is Supported Methods: GET HEAD POST PUT DELETE OPTIONS.
If I additionally disable the http-method OPTIONS with adding <http-method>OPTIONS</http-method> to the web.xml, then I get this good looking response:

80/tcp open  http
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS

The same happens, if I try to disable that http-methods in the Apache web server which actually is in front of the tomcat. see: http://www.techstacks.com/howto/disable-http-methods-in-apache.html

What I want:

  • Disable PUT and DELETE
  • Don't disable OPTIONS
  • nmap -p 80 --script http-methods www.example.com should response, that DELETE and PUT are disabled

Best Answer

The script is sending an OPTIONS request and reporting the results. This reports what methods the server software supports. Your security configuration is not changing what methods Tomcat understands; it is adding a security constraint that those methods are only allowed for users who meet the auth-constraint condition, which in this case contains no users. So Tomcat is being truthful: it does understand PUT and DELETE, even if nobody is allowed to use them.

If you want further confirmation, you can add --script-args http-methods.retest to your command. This will instruct the script to send a request with each of the discovered methods and report the status code of the response. But be careful: this will result in sending requests like DELETE /, which can be harmful.

Related Topic