HTTP offers a variety of methods that can be utilized to perform actions on the web server. They play a key role in communications between clients and servers. On the other hand, they can cause security risks if the web server is misconfigured.
An HTTP method is considered safe if it does not alter the server’s state. In this article, HTTP methods are going to be analyzed from the security point of view.
The PUT method is used to send data to a server to create or update a resource. An attacker can alter server resources or add malicious resources to the server if the server is configured to enable the PUT method. Moreover, by utilizing this method, a phishing attack can be initiated. An attacker can upload an HTML page containing a malicious login form designed to gather sensitive user information.
The DELETE method is used to delete the specified resource. if the server is configured to enable the DELETE method, an attacker can delete arbitrary content from the web server. This attack leads to the denial of service or deletion of access configuration files, such as “.htaccess” in an Apache server, enabling unauthorized access to the system.
The CONNECT method creates a connection channel to the server specified by a provided URI, forming a tunnel between the client and the server. This method enables a client to utilize the web server as a proxy.
The TRACE method is used for sending the complete HTTP request back to the client that made the request, for proxy-debugging purposes. An attacker can create a malicious web application to cause a client to send a TRACE request and capture the client’s cookies. Moreover, using this method can result in the exposure of confidential data, such as internal authentication headers added by reverse proxies.
The OPTIONS method reports allowed HTTP methods for the server. It provides a certain advantage to a potential attacker, serving as a shortcut to discover additional vulnerabilities.
Except for preflight requests, The OPTIONS method should be disabled.
The GET method is used to retrieve data from the specified server using a provided URI. The security issue of using the GET method is the lack of data confidentiality. The URL parameters transmitted with the data are not only visible to all in the browser’s address bar but are also stored in an unencrypted manner in the browser history, cache, and server log file. Therefore, The GET method can be considered as safe if it is used only for retrieving non-sensitive data.
Same as GET, but is used to retrieve only header information. It can be utilized to target a web application by imitating the GET request. For example, the default security in JAVA EE web.xml files limits access only to the GET and POST methods, thereby enabling the execution of a bypass authentication by sending the HEAD request to the target URL.
The POST method is used to send data to the server.
