044 – Insecure HTTP methods enabled

Description

HTTP methods such as TRACE, PUT and DELETE are enabled on the server. These methods may allow an attacker to include and/or delete files, or perform cross-site tracing attacks.

Impact

- Include content, scripts, binaries or images from potentially malicious sources. - Increase the probability of carrying out attacks such as Cross-Site Scripting, Cross-Site Leaks, and others.

Recommendation

Configure secure methods for servers requests.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

15 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: U

Requirements

• 266 - Disable insecure functionalities

Fixes

• Cloudformation
• Elixir
• Go
• Java
• Ruby
• Scala
• Typescript

Last updated

2024/02/08