Get a quote

Vulnerability Fixation
How to Disable HTTP PUT Method

Book a Free Consultation

How to Disable HTTP PUT Method
The HTTP PUT method allows a client to upload or replace a resource on a server at a specific URL. If the resource exists, PUT updates it; if not, it can be created at the requested location. The client usually provides data along with headers like Content-Type and Content-Length to define the uploaded content.

Although useful for controlled file management, enabling PUT without proper security can allow unauthorized users to upload harmful files, potentially leading to data compromise or server takeover.

Verification of vulnerability:

If HTTP PUT request gives response as "201 Create" then file in PUT request was successfully created on specified URI.

If HTTP PUT request gives response as "200 OK" then file in PUT request was successfully modified on specified URI if it was in accordance with the file type present on server.

Solution : To disable HTTP PUT

Apache

RewriteCond %{REQUEST_METHOD} ^(TRACE|PUT|OPTIONS}
RewriteRule .* - [F]

Tomcat

<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

IIS

  • Open IIS Manager
  • Select the name of the machine to configure this globally (or change to the specific web site for which you need to configure this)
  • Double click on "Request Filtering"
  • Change to the HTTP Verbs tab
  • From the Actions pane, select "Deny Verb"
  • Insert "PUT" in the Verb, and press OK to save changes

Also Read :

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More

Content Sniffing

How To Enable Content Sniffing?

Certain browsers, try to determine the content type and encoding of the response even when these properties are defined correctly...

Read More