0

In owasp 2014 (https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf) we have:

V 11.2 (page 31): Verify that the application accepts only a defined set of HTTP request methods, such as GET and POST and unused methods are explicitly blocked.

Does it mean we cannot use non-standard HTTP methods? If yes, can we say that WebDAV doesn't conform to OWASP ASVS standard? If the answer is no, is there any formal document, blog post or a FAQ for this?

Florian Winter
  • 4,750
  • 1
  • 44
  • 69
Mahmoud Moravej
  • 8,705
  • 6
  • 46
  • 65

2 Answers2

3

The way I read this is that as long as you define which request methods you accept and block everything else you can use any method you want.

only a defined set

is not the same as you cannot use none standard, it say that for instance if you are not using POST you should explicitly block POST

such as GET and POST

here GET and POST are examples of methods, not a complete list of available methods.

So use the methods that fits with your needs, but verify that the application do not accept any request not in the list of acceptable requests

rypskar
  • 2,012
  • 13
  • 13
  • I think exactly like you. But I need a formal reference (an FAQ or a blog post on OWASP website) to show it to our security lab. – Mahmoud Moravej Jul 25 '16 at 06:21
  • 1
    @MahmoudMoravej — The text you quoted **is** a formal reference, which says that explicitly. A formal reference which confirms that it says what it says would be a dictionary or a guide to English grammar. – Quentin Jul 25 '16 at 08:17
2

The quick answer is NO! I asked Andrew van der Stock the Owasp ASVS project leader. This is my question:

Dear Owasp Asvs project leaders (Daniel & Vanderaj),

I want to know if OWASP ASVS 2014 Level 1 force us to use just standardized Http Methods(GET,HEAD,POST,PUT, DELETE,CONNECT,OPTIONS,TRACE) or we can use non-standardized Http methods too? (by listing them in a document like what WebDav(https://en.wikipedia. org/wiki/WebDAV) did)

With Respect

And he replied me:

I think the primary driver is not to worry about which methods are available, but if they are necessary and safely configured.

Essentially, we are asking for: All methods are denied by default, except for: A positive set of allowed methods, AND all these methods are correctly and securely configured

For example, OPTIONS and HEAD are required by Chrome doing pre-flight CORS checks on AngularJS and other apps, and many apps require PUT and DELETE. Therefore these methods are necessary. If you use a new method, such as "EXAMPLE", the idea is that you don't also accept any other words, such as "RIDICULOUS", and "EXAMPLE" is correctly configured to be safe.

So if WebDAV is also enabled for whatever reason, it's important to make sure that it is properly secured. There may be a solid reason for it to exist (e.g. SharePoint), but to allow anonymous users to overwrite your site or change things is not okay.

thanks, Andrew

Mahmoud Moravej
  • 8,705
  • 6
  • 46
  • 65