SynaMan » SynaMan KB

Document information

Document ID:4104
Subject:Why are PUT and DELETE methods in HTTP server are enabled
Creation date:1/20/15 1:46 PM
Last modified on:2/24/16 11:42 AM


PUT and DELETE methods in HTTP server

NOTE:

Besides SynaMan, this page is also applicable to other products published by Synametrics Technologies, Inc. These products include Syncrify, Xeams, SynTail, Mail Junction and SMTP Gateway.

Problem statement

When you run a third-party tool to check vulnerabilities against SynaMan, it complains the web server accepts PUT and DELETE methods.

Further explanation

Most vulnerability scanners use the OPTION request to determine supported methods. This mechanism returns methods that are available but not necessarily permitted. The only way to determine if a method is permitted is to actually send a request and see if the server responds.

Try sending the following HTTP request to SynaMan, Syncrify or any other product that contains a web server from Synametrics Technologies, Inc.

OPTIONS * HTTP/1.1
Host: localhost


A typical response from the web server will be:

HTTP/1.1 200 OK
Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
Content-Length: 0
Date: Tue, 20 Jan 2015 18:59:09 GMT
Server: Synametrics Web Server v7


Since PUT and DELETE appears on the Allow field, a vulnerability scanner thinks these methods are supported. This is clearly a false positive. A better approach is to check if the server permits these methods. To confirm a server does not permit DELETE method, send the following request to the web server.

DELETE /index.htm HTTP/1.1
Host: localhost


A typical response from SynaMan's web server will be:

HTTP/1.1 403 Forbidden
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 961
Date: Tue, 20 Jan 2015 18:38:05 GMT
Server: Synametrics Web Server v7


Notice the HTTP response code, which is 403 letting the client know the method is forbidden by the server.

Conclusion

Vulnerability scanners that use the OPTIONS method to check supported HTTP methods may end up reporting a false positive if they do not confirm if a particular method is permitted.

Every product published by Synametrics Technologies, Inc. that includes an embedded web server only permits GET, POST, OPTIONS and HEAD methods. Every other HTTP method is forbidden.






Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users? Please add it below. Your name and tip will appear at the end of the document text.
Your name:
Your email:
Hide my email address
Verification code:
Enter the verification code you see above more submitting your tip
Tip:Please limit tips to 1000 characters

Navigation

Social Media

Powered by 10MinutesWeb.com