Summary
Acunetix 360 detected that the web application is using a security-constraint
section that includes a web-resource-collection
section with one or more http-method
definitions. It's not recommended to use http-method
definitions. When listing specific methods in their configuration, developers are actually allowing more access than they intend. It's safer to remove all http-method
definitions.
Example vulnerable config:
<security-constraint>
<web-resource-collection>
<web-resource-name>adminres</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
In the example above, an attacker can manipulate the HTTP method and use the HEAD method to access anything in the /admin/*.
Impact
Attackers can manipulate the HTTP method to attempt to bypass the security constraint.
Actions To Take
Remove all http-method
definitions from the security-constraint
section.
Example safer config:
<security-constraint>
<web-resource-collection>
<web-resource-name>adminres</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>