How To Disable Options Method Vulnerability

About OPTIONS method

OPTIONS is a diagnostic method which is mainly used for debugging purpose. This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.

How to fix it

OPTIONS method should be disabled.

Way to do it

Methods to disable OPTION method may vary depending upon the type, version of the web server.


IIS (For new versions)

In IIS, This can be done by denying the OPTIONS verb from the HTTP Verb Request Filtering rules in IIS.

  • Open IIS Manager.
  • Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this).
  • Double click on "Request Filtering".
  • Change to the HTTP Verbs tab.
  • From the Actions pane, select "Deny Verb".
  • Insert 'OPTIONS' in the Verb, and press OK to save changes.
Vulnerable OPTIONS Method Vulnerability, How To Disable Options Method Vulnerability

IIS (For old versions)

Vulnerable OPTIONS Method Vulnerability, How To Disable Options Method Vulnerability,Content Sniffing Not Disabled




In IIS, This can be done by denying the OPTIONS verb from the HTTP Verb Request Filtering rules in IIS.

  • In IIS Manager, right click on the website and select Properties.
  • Switch to the Home Directory tab, and click the Configuration button.
  • In the list of application extensions, locate the extension that your web application uses and click the Edit button.
  • In the Limit To field, specify the method you want to support and delete the ones you don't.

Apache

The traditional way to disable specific HTTP Methods in the Apache web server is with the use of mod rewrite. mod rewrite is a rules-based, rewriting engine that can be loaded in the standard apache configuration file or as part of an .htaccess file. There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.

Steps:

Search your apache configuration file(s) for mod_rewrite.so. If it is not found, add the following line to your apache configuration file (typically known as httpd.conf):
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
To enable rewrite engine,
RewriteEngine On
To disable option,
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
i.e.,
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]

Flags are set i.e. [F] for forbidden request, [R] for redirecting the page, likewise.

Note:

by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.

Tomcat

In Apache Tomcat, security is enforced by way of security constraints that are built into the Java Servlet specification. These are not contained within the main server.xml file within tomcat but within the web.xml configuration file.

webapps/theAPP/WEB-INF/web.xml

// Sample Security Constraint
<security-constraint>
<web-resource-collection>
<web-resource-name>
<strong>restricted methods</strong>
</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>


NGINX

Disable OPTIONS method in NGINX

To disable the OPTIONS method in Nginx add the following config:
It is suggested to disable any HTTP methods which are not going to be utilized and which are not required to be implemented on the web server. The below condition, which is added under the ‘server’ section in the Nginx configuration file will disable OPTIONS method:

if ($request_method ~ ^(OPTIONS)$ )
{
return 403;
}
The result can be tested with curl: curl -X OPTIONS https://domain.com