HTTP Methods Allowed (per directory)
Info Nessus Plugin ID 43111
SynopsisThis plugin determines which HTTP methods are allowed on various CGI directories.
DescriptionBy calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.
The following HTTP methods are considered insecure:
PUT, DELETE, CONNECT, TRACE, HEAD
Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed unauthorized blind submission of any privileged GET request.
As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.