Overview
The HTTP specification (RFC 9110) defines a set of request methods — commonly called HTTP verbs — each with a distinct intended purpose. While GET and POST are required for ordinary web browsing and form submission, methods such as PUT, DELETE, and TRACE are intended for specific, controlled contexts. When these methods are left enabled on a production web server without strict access controls, they introduce significant attack surface.
- PUT: Instructs the server to store the request body at a specified URI, effectively allowing file upload or content replacement.
- DELETE: Instructs the server to remove the resource at the specified URI.
- TRACE: Echoes the received HTTP request back to the client, intended for diagnostic loop-back testing. It has no legitimate purpose in production environments.
- CONNECT and OPTIONS (secondary concern):
OPTIONSitself is low-risk but reveals which methods are enabled;CONNECTcan be abused to proxy traffic through the server.
How it works
An attacker first probes the server — typically with an OPTIONS request — to enumerate the list of accepted HTTP methods returned in the Allow response header. Depending on which dangerous methods are available, different attack vectors open up:
- PUT-based file upload: If the server accepts
PUTand the target directory is writable, an attacker can upload an arbitrary file (e.g., a web shell) directly to the web root. A request likePUT /shell.php HTTP/1.1with a malicious body can result in remote code execution if the server processes the uploaded file type. - DELETE-based content removal: An unauthenticated
DELETErequest to a valid resource URI will remove the resource from the server, causing denial of service or data loss. - TRACE-based Cross-Site Tracing (XST): The
TRACEmethod echoes all request headers — includingCookieandAuthorizationheaders — in its response body. When combined with a cross-domain scripting vector (e.g., a Flash or older browser XHR vulnerability), an attacker can readHttpOnlycookies that would normally be inaccessible to JavaScript, bypassing one of the key protections against session hijacking. - WebDAV extension risk: Servers with WebDAV enabled expose additional methods (
PROPFIND,MKCOL,COPY,MOVE) that compound the risk of unauthorised filesystem manipulation. - Firewall / WAF bypass via verb tampering: Some access control rules are bound to specific HTTP methods. Sending a request with an unexpected or custom method (e.g.,
HEADor an arbitrary verb) can bypass method-level ACLs enforced by middleware or web application firewalls.
Business impact
The consequences of exploiting unnecessarily enabled HTTP methods range from complete server compromise to regulatory penalties:
- Remote Code Execution (RCE): A successful PUT of a server-side script followed by a GET to execute it gives the attacker full control over the web application environment.
- Data destruction: Unrestricted DELETE access allows mass removal of application content, leading to service outages and unrecoverable data loss.
- Session hijacking: XST exploitation via TRACE can expose authenticated session tokens, enabling account takeover without user interaction.
- Compliance violations: Unauthorised data access or modification may trigger breach notification obligations under GDPR, PCI DSS, HIPAA, and similar frameworks.
- Reputational damage: Public disclosure of a web shell upload or site defacement via PUT carries significant reputational harm.
How to fix it
- Disable TRACE globally: TRACE has no valid production use. Disable it at the server level. In Apache, add
TraceEnable Offto the server configuration. In Nginx, there is no native TRACE support, but verify no upstream proxy re-enables it. In IIS, remove TRACE from the allowed verbs list inrequestFiltering. - Restrict PUT and DELETE to authenticated, authorised contexts only: If your application requires PUT or DELETE (e.g., a REST API), enforce authentication (OAuth 2.0, API keys) and authorisation checks before processing these methods. Never allow them on static file directories.
- Disable WebDAV if not required: WebDAV is a common source of dangerous method exposure. Disable the WebDAV module (
mod_davin Apache,WebDAVin IIS) unless there is an explicit operational need. - Use a whitelist of allowed HTTP methods: Configure your web server or WAF to accept only the methods your application actually uses (typically
GET,POST,HEAD,OPTIONS). In Apache: use<LimitExcept GET POST HEAD> Deny from all </LimitExcept>. In Nginx: useif ($request_method !~ ^(GET|POST|HEAD)$) { return 405; }. In IIS: userequestFilteringwith an explicit verb allowlist. - Apply network-layer controls: Use a Web Application Firewall (WAF) or reverse proxy to reject disallowed methods before they reach the application server.
- Verify with OPTIONS enumeration after hardening: After applying changes, send an
OPTIONSrequest to the server and confirm theAllowheader lists only the intended methods. - Audit regularly: Include HTTP method enumeration in periodic security assessments and CI/CD pipeline security tests to detect configuration drift.
References
- OWASP WSTG – Test HTTP Methods (WSTG-CONF-06)
- OWASP – Cross Site Tracing (XST)
- MITRE CWE-16: Configuration
- MITRE CWE-650: Trusting HTTP Permission Methods on the Server Side
- RFC 9110 – HTTP Semantics (IETF)
- RFC 4918 – HTTP Extensions for WebDAV (IETF)
- OWASP Top 10 A05:2021 – Security Misconfiguration
- Apache HTTP Server – TraceEnable Directive