How To Disable Options Method Vulnerability
About OPTIONS method
OPTIONS is a diagnostic method which is mainly used for debugging purpose. This HTTP method basically reports which HTTP Methods that are allowed on the web server. In reality, this is rarely used for legitimate purposes, but it does grant a potential attacker a little bit of help and it can be considered a shortcut to find another hole.
How to fix it
OPTIONS method should be disabled.
Way to do it
Methods to disable OPTION method may vary depending upon the type, version of the web server.
IIS (For new versions)
In IIS, This can be done by denying the OPTIONS verb from the HTTP Verb Request Filtering rules in IIS.
- Open IIS Manager.
- Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this).
- Double click on "Request Filtering".
- Change to the HTTP Verbs tab.
- From the Actions pane, select "Deny Verb".
- Insert 'OPTIONS' in the Verb, and press OK to save changes.
IIS (For old versions)
In IIS, This can be done by denying the OPTIONS verb from the HTTP Verb Request Filtering rules in IIS.
- In IIS Manager, right click on the website and select Properties.
- Switch to the Home Directory tab, and click the Configuration button.
- In the list of application extensions, locate the extension that your web application uses and click the Edit button.
- In the Limit To field, specify the method you want to support and delete the ones you don't.
Apache
The traditional way to disable specific HTTP Methods in the Apache web server is with the use of mod rewrite. mod rewrite is a rules-based, rewriting engine that can be loaded in the standard apache configuration file or as part of an .htaccess file. There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.
Steps:
Search your apache configuration file(s) for mod_rewrite.so. If it is not found, add the following line to your apache configuration file (typically known as httpd.conf):
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
To enable rewrite engine,
RewriteEngine On
To disable option,
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
i.e.,
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
Flags are set i.e. [F] for forbidden request, [R] for redirecting the page, likewise.
Note:
by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.Tomcat
In Apache Tomcat, security is enforced by way of security constraints that are built into the Java Servlet specification. These are not contained within the main server.xml file within tomcat but within the web.xml configuration file.webapps/theAPP/WEB-INF/web.xml
// Sample Security Constraint
<security-constraint>
<web-resource-collection>
<web-resource-name>
<strong>restricted methods</strong>
</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
