logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure HTTP methods enabled - Cloudformation

Need

Restrict HTTP methods to only those necessary for the application's functionality to prevent security risks.

Context

  1. HTTP methods define how clients interact with a server, but some methods can introduce security risks if not properly restricted.
  2. Insecure HTTP methods such as `TRACE`, `PUT`, and `DELETE` can allow attackers to manipulate resources, perform cross-site tracing attacks, or introduce malicious content.
  3. CloudFormation templates may inadvertently allow all HTTP methods (`HttpMethod: \"*\"`) when defining API resources, exposing services to potential threats.

Description

Insecure Code Example

Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      MethodSettings:
        - ResourcePath: "/*"
          HttpMethod: "*"
          LoggingLevel: INFO

The above CloudFormation template defines an **AWS::Serverless::Api** resource where `MethodSettings` allows all HTTP methods (`HttpMethod: "*"`, equivalent to `ANY`). Allowing all HTTP methods increases the risk of: - Unauthorized file uploads (PUT) - Accidental or malicious deletion of resources (DELETE) - Cross-site tracing attacks (TRACE), which can be used to expose sensitive information. This misconfiguration can lead to data manipulation or unauthorized actions on the API.

Steps

  1. Identify API configurations that allow unrestricted HTTP methods.
  2. Review API settings (`MethodSettings` in AWS, similar configurations in other frameworks).
  3. Replace `HttpMethod: \"*\"` or equivalent settings with explicitly defined methods (e.g., `GET`, `POST`).
  4. Validate the configuration to ensure only intended methods are accessible.

Secure Code Example

Resources:
  MyApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      MethodSettings:
        - ResourcePath: "/secure"
          HttpMethod: "GET"
          LoggingLevel: INFO
        - ResourcePath: "/secure"
          HttpMethod: "POST"
          LoggingLevel: INFO

The secure approach explicitly defines only the necessary HTTP methods (`GET` and `POST`), ensuring that potentially harmful methods such as `TRACE`, `PUT`, and `DELETE` are not exposed. By restricting `MethodSettings`, the API enforces a more controlled access policy, reducing attack vectors.

References

  • 044 - Insecure HTTP methods enabled

    • Last updated

    2025/04/03