Terraform Insecure Http Methods Enabled
Description
Detects dangerous HTTP methods enabled in AWS S3 bucket CORS configurations that could allow unauthorized cross-origin requests. When unsafe HTTP methods (like DELETE, PUT) are permitted in CORS settings, it may enable malicious websites to perform destructive operations on the S3 bucket.
Detection Strategy
• Scan AWS S3 bucket CORS configuration resources in Terraform files
• Check if CORS rules enable dangerous HTTP methods like DELETE, PUT, or unrestricted methods (*)
• Flag resources that allow potentially destructive HTTP methods in their CORS configuration
Vulnerable code example
resource "aws_s3_bucket_cors_configuration" "example" {
bucket = aws_s3_bucket.example.id
cors_rule {
allowed_headers = ["*"]
allowed_methods = ["PUT", "TRACE"] # Vulnerable: TRACE method should never be allowed in CORS as it enables cross-site tracing attacks
allowed_origins = ["https://example.com"]
max_age_seconds = 3000...✅ Secure code example
resource "aws_s3_bucket_cors_configuration" "example" {
bucket = aws_s3_bucket.example.id
cors_rule {
allowed_headers = ["Authorization", "Content-Type"] # Only allow necessary headers instead of wildcard
allowed_methods = ["PUT", "GET", "POST"] # Remove TRACE method to prevent cross-site tracing attacks
allowed_origins = ["https://example.com"] # Specific origin instead of wildcard for better security
max_age_seconds = 3000...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.