On March 17, 2020 10:31:06 PM UTC, "James H. H. Lampert" <jam...@touchtonecorp.com> wrote: > >On 3/17/20 3:18 PM, Martynas Jusevičius wrote: >> why should DELETE or OPTIONS not be enabled? They are standard HTTP >methods. > >True, but (quoting the audit report) >> . . . [DELETE] may allow a remote attacker to delete arbitrary files >. . . .
There is a big difference between supporting a method (recognising it is a known HTTP method) and allowing it. Tomcat does not allow DELETE by default. Your app might but one assumes if it does the developers know what they were doing and secured it appropriately... Tomcat takes the view that OPTIONS should list all supported methods, not just methods allowed, for a given resource. >and (again quoting the report) >> Web servers that respond to the OPTIONS HTTP method expose what other >> methods are supported by the web server, allowing attackers to narrow >> and intensify their efforts. That is a security by obscurity argument. The Tomcat devs have never given much ,(any?) weight to arguments made on that basis. The XXS might be valid. I assume the tool provided a sample URL you could use to validate the finding. That should point you in the right direction but feel free to ask here if more help is required. Mark >-- >JHHL > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
