Many web server allow access control using HTTP Methods, enabling access using
one or more methods.
The problem is that many configuration implementation ALLOW access to method that are not listed in access control, so control breach.
Apache .htaccess avoid “LIMIT” directive. Use “LimitExcept” directive.
JAVA EE avoid using <http-method> in access control policy.
ASP.NET use <deny verbs=”*” users=”*”/> after allowing the whitelist of required work.
No comments:
Post a Comment