Config Files Xml Allow All Methods
Description
Detects XML configurations that allow all HTTP methods (*) without restrictions. This can expose endpoints to dangerous HTTP operations like DELETE, PUT, or arbitrary methods, potentially leading to unauthorized actions or data manipulation.
Detection Strategy
• Search for <add> tags in XML configuration files
• Check if the 'verb' attribute is set to '*' (case-insensitive)
• Verify the 'allowed' attribute is either missing or not explicitly set to 'false'
• Report vulnerability if conditions are met, indicating unrestricted HTTP method access
Vulnerable code example
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<!-- Vulnerable: Allows ALL HTTP methods including dangerous ones like TRACE -->
<add name="UnsafeHandler" path="*." verb="*" />
<!-- Vulnerable: Explicitly enables dangerous HTTP methods -->...✅ Secure code example
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<!-- Only allow safe essential HTTP methods -->
<add name="SafeHandler" path="*." verb="GET,HEAD,POST" />
</handlers>
<security>...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.