Project

General

Profile

[Solved] OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.

Added by Anonymous about 3 years ago

Hello,

I came around the following:
[[https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
]]
Where the OPTIONS method is mentionend as Exploitable:
Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.

Is this also applicable to lighttpd 1.4.51? I cannot see any "Allow: GET, HEAD, POST, TRACE, OPTIONS" in the response headers etc.

Did someone already had a look into this? and a solution if exploitable?

Regards


Replies (1)

RE: [Solved] OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts. - Added by gstrauss about 3 years ago

If you have researched this and have an educated question, please ask.

If this is a drive-by post, then please understand that we are familiar with https://tools.ietf.org/html/rfc7231#section-4.3.7 and it is part of the HTTP spec.

If you want to deny OPTIONS, then you can configure lighttpd to do so by reading the documentation: Docs_Configuration

    (1-1/1)