Title:

HTTP DELETE method is enabled. This may result in letting malicious user delete content or code from the web server, thus resulting into data loss.

Vulnerability:

What is HTTP DELETE method?
The DELETE method requests that the origin server remove the association between the target resource and its current functionality. .i.e. HTTP DELETE method deletes the specified resource at the origin of server.
DELETE /root.html HTTP 1.1

The DELETE request message has no defined semantics.
DELETE /root.html HTTP 1.1
Host: test.com

Verification of vulnerability:

If HTTP DELETE request gives response as ‘202 Accepted’ then DELETE request was successfully applied on specified URI but might not be enacted.
If HTTP DELETE request gives response as ‘204 No content’ then file in DELETE request was successfully on specified URI no other information is to be supplied or the response message includes status of the representation.

Solution:

To disable HTTP DELETE in Apache:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|OPTIONS)
RewriteRule .* - [F]

To disable HTTP DELETE in IIS:

  1. Open IIS Manager
  2. Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this)
  3. Double click on ‘Request Filtering’
  4. Change to the HTTP Verbs tab
  5. From the Actions pane, select ‘Deny Verb’
  6. Insert ‘DELETE’ in the Verb, and press OK to save changes

To disable HTTP DELETE in Tomcat:
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>