PUT and DELETE methods in HTTP server

Problem statement

When you run a third-party tool to check vulnerabilities against SynaMan, it complains the web server accepts PUT and DELETE methods.

Further explanation

Most vulnerability scanners use the OPTION request to determine supported methods. This mechanism returns methods that are available but not necessarily permitted. The only way to determine if a method is permitted is to actually send a request and see if the server responds.

Try sending the following HTTP request to SynaMan, Syncrify or any other product that contains a web server from Synametrics Technologies, Inc.



A typical response from the web server will be:



Since PUT and DELETE appears on the Allow field, a vulnerability scanner thinks these methods are supported. This is clearly a false positive. A better approach is to check if the server permits these methods. To confirm a server does not permit DELETE method, send the following request to the web server.



A typical response from SynaMan's web server will be:



Notice the HTTP response code, which is 403 letting the client know the method is forbidden by the server.

Conclusion

Vulnerability scanners that use the OPTIONS method to check supported HTTP methods may end up reporting a false positive if they do not confirm if a particular method is permitted.

Every product published by Synametrics Technologies, Inc. that includes an embedded web server only permits GET, POST, OPTIONS and HEAD methods. Every other HTTP method is forbidden.