SynaMan » SynaMan KB

Document information

Document ID: 4104
Subject: Why are PUT and DELETE methods in HTTP server are enabled
Creation date: 1/20/15 1:46 PM
Last modified on: 11/8/18 11:00 AM

PUT and DELETE methods in HTTP server


This page is applicable to other Synametrics Technologies products including Syncrify, Xeams, SynTail, Mail Junction and SMTP Gateway.

Problem statement

When you run a third-party tool to check vulnerabilities against SynaMan, it complains the web server accepts PUT and DELETE methods.

Further explanation

Most vulnerability scanners use the OPTION request to determine supported methods. This mechanism returns methods that are available but not necessarily permitted. The only way to determine if a method is permitted is to actually send a request and see if the server responds.

Try sending the following HTTP request to SynaMan, Syncrify or any other product that contains a web server from Synametrics Technologies, Inc.

Host: localhost

A typical response from the web server will be:

HTTP/1.1 200 OK
Content-Length: 0
Date: Tue, 20 Jan 2015 18:59:09 GMT
Server: Synametrics Web Server v7

Since PUT and DELETE appears on the Allow field, a vulnerability scanner thinks these methods are supported. This is clearly a false positive. A better approach is to check if the server permits these methods. To confirm a server does not permit DELETE method, send the following request to the web server.

DELETE /index.htm HTTP/1.1
Host: localhost

A typical response from SynaMan's web server will be:

HTTP/1.1 403 Forbidden
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 961
Date: Tue, 20 Jan 2015 18:38:05 GMT
Server: Synametrics Web Server v7

Notice the HTTP response code, which is 403 letting the client know the method is forbidden by the server.


Vulnerability scanners that use the OPTIONS method to check supported HTTP methods may end up reporting a false positive if they do not confirm if a particular method is permitted.

Every product published by Synametrics Technologies, Inc. that includes an embedded web server only permits GET, POST, OPTIONS and HEAD methods. Every other HTTP method is forbidden.

Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users?

Important: This area is reserved for useful tips. Therefore, do not post any questions here. Instead, use our public forums to post questions.


Social Media

Powered by