Why should someone block all methods other than GET and POST in a RESTful application?











up vote
7
down vote

favorite
1












TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application is security hardened, pen-tested and powered by popular security frameworks.



In other words, if I allow deletion of a record via DELETE or POST by an authorized user (checking he has access to that record, auditing, etc), what is the difference from the security standpoint?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>CONNECT</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint />
</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.










share|improve this question




















  • 1




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    6 hours ago






  • 1




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    3 hours ago















up vote
7
down vote

favorite
1












TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application is security hardened, pen-tested and powered by popular security frameworks.



In other words, if I allow deletion of a record via DELETE or POST by an authorized user (checking he has access to that record, auditing, etc), what is the difference from the security standpoint?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>CONNECT</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint />
</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.










share|improve this question




















  • 1




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    6 hours ago






  • 1




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    3 hours ago













up vote
7
down vote

favorite
1









up vote
7
down vote

favorite
1






1





TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application is security hardened, pen-tested and powered by popular security frameworks.



In other words, if I allow deletion of a record via DELETE or POST by an authorized user (checking he has access to that record, auditing, etc), what is the difference from the security standpoint?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>CONNECT</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint />
</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.










share|improve this question















TL;DR:



Is there a valid reason to demand a software vendor to stop using HTTP PUT and DELETE methods in a web application and use only GET and POST? The application is security hardened, pen-tested and powered by popular security frameworks.



In other words, if I allow deletion of a record via DELETE or POST by an authorized user (checking he has access to that record, auditing, etc), what is the difference from the security standpoint?



Full question



Our customer configured their Tomcat instance with the following, according to their corporate standard:



<security-constraint> 
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>CONNECT</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint />
</security-constraint>


This, among the Http Header Security Filter configuration, made our application break.



Our application provides the same HTTP Header security features in Spring Security. Also, our application is RESTful, so we widely use PUT and DELETE methods for file upload. In future releases, we are also planning to use websockets (but from a search, they don't use CONNECT, which is for proxying).



Our customer said that they will have to raise a policy exception in production in order remove the offending lines from Tomcat configuration and make the application work.



As part of the security exception policy, our customer's staff is obligated to engage the vendor in "fixing the security issue" within 6 months.



This means that they will return to me asking to make the application work with enabled HTTP method filtering and HTTP Header Security filter.



I don't want to do them a favour and change all Ajax calls from RESTful patterns to GET/POST only, not even for money.



Question is, as in the TLDR, could using PUT and DELETE methods alone, regardless of the security features of the application, pose a security risk?



Edit



I work in a software factory that deploys the same product instance to a large number of customers and our cloud. We are fully using all the tools we have on board, including the REST pattern. We are planning to employ HATEOAS, WebSockets, resumable file downloads, and everything the web technology can offer us to deliver better experience. Yes, sounds like a marketing line. Anyway, security is still a concern in our products.







web-application http rest






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 2 hours ago









SeldomNeedy

1114




1114










asked 9 hours ago









usr-local-ΕΨΗΕΛΩΝ

1,006412




1,006412








  • 1




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    6 hours ago






  • 1




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    3 hours ago














  • 1




    I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
    – Bakuriu
    6 hours ago






  • 1




    Me saying this doesn't help with your problem, but your customer is stupid.
    – immibis
    3 hours ago








1




1




I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
– Bakuriu
6 hours ago




I had some similar circumstances happen with clients. The result until now has been, either they give up and accept the changes required to make the application work, or they pay $$$ for supporting a special branch for them. If they pay enough to outset the cost and make a profit of that situation I don't see why you shouldn't do that.
– Bakuriu
6 hours ago




1




1




Me saying this doesn't help with your problem, but your customer is stupid.
– immibis
3 hours ago




Me saying this doesn't help with your problem, but your customer is stupid.
– immibis
3 hours ago










1 Answer
1






active

oldest

votes

















up vote
13
down vote













I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.






share|improve this answer























  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199776%2fwhy-should-someone-block-all-methods-other-than-get-and-post-in-a-restful-applic%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
13
down vote













I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.






share|improve this answer























  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago















up vote
13
down vote













I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.






share|improve this answer























  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago













up vote
13
down vote










up vote
13
down vote









I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.






share|improve this answer














I suspect this is a case of someone zealously applying "best practices" that they don't understand.



HTTP Verb Tampering Attack



The reason this best practice exists is because of the HTTP Verb Tampering Attack. From this article:




Many Web server authentication mechanisms use verb-based authentication and access controls. For example, an administrator can configure a Web server to allow unrestricted access to a Web page using HTTP GET requests, but restrict POSTs to administrators only. However, many implementations of verb-based security mechanisms enforce the security rules in an unsecure manner, allowing access to restricted resources by using alternative HTTP methods (such as HEAD) or even arbitrary character strings.




So someone decided that because some apps are badly-written, all apps should be banned from accepting HTTP verbs other than GET or POST, because ... you know ... mumble mumble SECURITY!!





My opinion (possibly incomplete / incorrect, please post comments) :




  • Pure HTML / CSS / js content should be restricted to GET and POST because these are the only verbs allowed in the HTML spec.

  • APIs (AJAX, REST) should be allowed to use any verb from the HTTP spec, that said:


    • You should do extra security testing to make sure no authentication or access-control bypass vulnerabilities exist via verb tampering. I recommend following the OWASP testing guide.

    • Be aware that even if your application-layer correctly enforces verb-based access controls, your webserver front-end may not. For example I believe it's possible to configure webserver front-ends to process HEAD requests without consulting the application-layer, which in some cases could be considered an information disclosure vuln, for example confirming the existence of a secret URL and telling you its content-type.




It sounds like your app is fine and your customer has an overly-zealous security policy.







share|improve this answer














share|improve this answer



share|improve this answer








edited 9 hours ago

























answered 9 hours ago









Mike Ounsworth

38.5k1493137




38.5k1493137












  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago


















  • I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
    – Mike Ounsworth
    8 hours ago
















I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
– Mike Ounsworth
8 hours ago




I just noticed there's a more thorough answer to this question here: security.stackexchange.com/q/21413/61443
– Mike Ounsworth
8 hours ago


















draft saved

draft discarded




















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199776%2fwhy-should-someone-block-all-methods-other-than-get-and-post-in-a-restful-applic%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Bundesstraße 106

Verónica Boquete

Ida-Boy-Ed-Garten