1

I'm running a web server with Apache http server in front of an Apache Tomcat server.

My goal: Disable http-methods DELETE and PUT on the web server.

According to OWASP (https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)) this should be tested with this command:

nmap -p 80 --script http-methods www.example.com

On my server I get this response:

PORT   STATE SERVICE
80/tcp open  http
| http-methods:
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE

According to http://www.techstacks.com/howto/disable-http-methods-in-tomcat.html I can disable PUT and DELETE with this lines in web.xml

<security-constraint>
     <web-resource-collection>
          <web-resource-name>restricted methods</web-resource-name>
          <url-pattern>/*</url-pattern>
          <http-method>PUT</http-method>
          <http-method>DELETE</http-method>
     </web-resource-collection>
     <auth-constraint />
</security-constraint>

If I add this, my response still is Supported Methods: GET HEAD POST PUT DELETE OPTIONS.
If I additionally disable the http-method OPTIONS with adding <http-method>OPTIONS</http-method> to the web.xml, then I get this good looking response:

80/tcp open  http
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS

The same happens, if I try to disable that http-methods in the Apache web server which actually is in front of the tomcat. see: http://www.techstacks.com/howto/disable-http-methods-in-apache.html

What I want:

  • Disable PUT and DELETE
  • Don't disable OPTIONS
  • nmap -p 80 --script http-methods www.example.com should response, that DELETE and PUT are disabled
chloesoe
  • 335
  • 2
  • 17

1 Answers1

2

The script is sending an OPTIONS request and reporting the results. This reports what methods the server software supports. Your security configuration is not changing what methods Tomcat understands; it is adding a security constraint that those methods are only allowed for users who meet the auth-constraint condition, which in this case contains no users. So Tomcat is being truthful: it does understand PUT and DELETE, even if nobody is allowed to use them.

If you want further confirmation, you can add --script-args http-methods.retest to your command. This will instruct the script to send a request with each of the discovered methods and report the status code of the response. But be careful: this will result in sending requests like DELETE /, which can be harmful.

bonsaiviking
  • 4,420
  • 17
  • 26
  • Is there a way to configure Tomcat, that it doesn't understand `PUT` and `DELETE`? Now I have to disable `OPTIONS` do get an answer without `PUT` and `DELETE` with `nmap`. I think the security tester on the customers site is testing with `nmap` as recommended by OWASP, so he always get an "unsecure" result until I disable `OPTIONS` – chloesoe Nov 16 '17 at 13:44
  • 1
    I'm not a Tomcat expert, so I don't know. I think [the OWASP testing guidance](https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)) is misleading because it doesn't distinguish between **supported** and **allowed** methods. Using the `http-methods.retest` argument, you should be able to show that the methods are not allowed. Your testing agreement should include a process for documenting false positives. – bonsaiviking Nov 16 '17 at 15:33
  • Thanks for your answer. This leads me to the conclusion, that if a customer does a security review according to the OWASP testing guidance, then as a administrator of the tomcat web server, I have to disable the http-method OPTIONS, so there will be no "possible risk" in the review list. – chloesoe Nov 16 '17 at 16:53