Description

This web application is using a security-constraint section that includes a web-resource-collection section with one or more http-method definitions. It's not recommended to use http-method definitions. When listing specific methods in their configuration, developers are actually allowing more access than they intend. It's safer to remove all http-method definitions.

Example vulnerable config: 

 <security-constraint>
        <web-resource-collection>
          <web-resource-name>adminres</web-resource-name>
          <url-pattern>/admin/*</url-pattern>
          <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
                <role-name>admin</role-name>
        </auth-constraint>
 </security-constraint>
In the example above, an attacker can manipulate the HTTP method and use the HEAD method to access anything in the /admin/*.

Remediation

Remove all http-method definitions from the security-constraint section.

Example safer config: 

<security-constraint>
        <web-resource-collection>
          <web-resource-name>adminres</web-resource-name>
          <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <role-name>admin</role-name>
        </auth-constraint>
 </security-constraint>

References

Http verb tempering: bypassing web authentication and authorization

Related Vulnerabilities

Pentaho API Auth bypass (CVE-2021-31602)

ColdFusion RDS Service enabled

GraphQL Circular-Query via Introspection Allowed: Potential DoS Vulnerability

WebDAV remote code execution

Content-Security-Policy-Report-Only Cannot Be Declared Without report-uri Directive

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration