Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Arbitrary Methods enabled on s erver



Permlink Replies: 11 - Last Post: Feb 7, 2018 11:15 PM Last Post By: Alexandre Machado Threads: [ Previous | Next ]
Pramod Nair

Posts: 105
Registered: 5/21/06
Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 1, 2018 11:32 PM
In the latest penetration test we got one volurability 'It is observed that the Arbitrary Methods enabled on server'. How can resolve this issue in the intraweb please?
Daniel Fields

Posts: 622
Registered: 11/29/04
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 2, 2018 12:35 AM   in response to: Pramod Nair in response to: Pramod Nair
Do you have any details? Are they talking about the actual server, or did they say it was your application?
Pramod Nair

Posts: 105
Registered: 5/21/06
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 2, 2018 4:18 AM   in response to: Daniel Fields in response to: Daniel Fields
Here is details they given

Description:
HTTP offers a number of methods that can be used to perform actions on the web server. Sometimes , applications are
designed for verb-based authorization and access control. An attacker can manipulate the these verbs to bypass the
security controls .

Solution:
If the application does not s upport the Random method, it should issue an error page (or preferably a 405 Not Allowed or
501 Not implemented error page).

Request Header:
"TESTINDUS / HTTP/1.1 Hos t: 103.41.11.139:8891 Accept-Encoding: gzip, deflate Accept: / Accept-
Language: en Us er-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: clos e Cookie: IW_ Online=tgOZ8mQW6uMM9FoGqnYnTW_6 "

Response Header:
" HTTP/1.1 200 OK Connection: clos e Content-Type: text/html; chars et=UTF-8 Content-Length: 114 Date:
Wed, 31 Jan 2018 11:00:13 GMT X-Frame-Options : SAMEORIGIN X-XSS-Protection: 1;mode=block X-Content-
Type-Options : nos niff Strict-Trans port-Security: max-age=15768000; includeSubDomains ; preload
Content-Security-Policy: default-s rc https : 's elf'; img-s rc https : 's elf'; object-s rc https : 's elf'; s tyle-s rc
https : 's elf' 'uns afe-inline'; s cript-s rc https : 's elf' 'uns afe-inline' 'uns afe-eval' Cache-Control:no-cache
Pragma:no-cache P3P:CP=""NO P3P"" Set-Cookie:
IW_Indus Cosmos Online=tgOZ8mQW6uMM9FoGqnYnTW_11; Path=/; Max-Age=87600; Expires =Thu, 01-
Feb-2018 11:20:13 GMT"

Result:
Arbitrary Methods enabled on server.
or did they say it was your application?
my application

Daniel Fields wrote:
Do you have any details? Are they talking about the actual server, or did they say it was your application?

Edited by: Pramod Nair on Feb 3, 2018 3:39 AM
Daniel Fields

Posts: 622
Registered: 11/29/04
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 3, 2018 12:01 PM   in response to: Pramod Nair in response to: Pramod Nair
Does your application support parameters being passed to it? Something likehttp://mydomain.com:8888/$/start/?myparam=somevalue? If not you can screen out any request that passes parameters to your application.

It appears they are saying the test passed parameters to your application, and it should have responded with an error.
Pramod Nair

Posts: 105
Registered: 5/21/06
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 3, 2018 9:05 PM   in response to: Daniel Fields in response to: Daniel Fields
We are not using any parameters. How should restrict it?
Daniel Fields wrote:
Does your application support parameters being passed to it? Something likehttp://mydomain.com:8888/$/start/?myparam=somevalue? If not you can screen out any request that passes parameters to your application.

It appears they are saying the test passed parameters to your application, and it should have responded with an error.
Jose Nilton Pace


Posts: 122
Registered: 5/15/98
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 3, 2018 12:59 PM   in response to: Pramod Nair in response to: Pramod Nair
Hi Pramod, this is a Isapi or SA application?
Pramod Nair

Posts: 105
Registered: 5/21/06
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 3, 2018 9:06 PM   in response to: Jose Nilton Pace in response to: Jose Nilton Pace
Hi Jose, SA


Jose Nilton Pace wrote:
Hi Pramod, this is a Isapi or SA application?
Jose Nilton Pace


Posts: 122
Registered: 5/15/98
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 4, 2018 6:44 AM   in response to: Pramod Nair in response to: Pramod Nair
Pramod, i can reproduce the test case and you too, follow these steps and, of course, the solution.
1.Open a CMD prompt and execute telnet with the command: telnet 103.41.11.139 8891
2.Open a notepad and write these two commands on it:
TRACE / HTTP/1.1
Host: localhost
TestA: Hello
TestB: World

OPTIONS / HTTP/1.1
Host: localhost

3.Copy one of them at a time and paste in telnet connection (black screen) after paste, press two times return key

You will see the result like this, where the test fail.
HTTP/1.1 200 OK
Connection: close
etc, etc, etc

the solution is ( taking a ride on Daniel's answer below )
uses
  IW.HTTP.Request
 
procedure TIWServerController.IWServerControllerBaseNewSession(aSession: TIWApplication);
begin
   ASession.Data := TIWUserSession.Create(nil, aSession);
 
   { THttpMethod = (hmNone, hmGet, hmPut, hmPost, hmHead); }
   { hmNone = OPTIONS / TRACE / ETC }
   if ASession.Request.HttpMethod = hmNone then begin 
      ASession.Response.Code     := 405;
      ASession.Response.CodeText := 'Not Allowed';
      ASession.Terminate;
   end;
end;

After the changes, repeat the test in telnet prompt.

You will see the result like this, where the test NOT fail.
HTTP/1.1 405 Not Allowed
Connection: close
etc, etc, etc
Pramod Nair

Posts: 105
Registered: 5/21/06
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 4, 2018 9:41 PM   in response to: Jose Nilton Pace in response to: Jose Nilton Pace
Thanks alot Jose. The issue is fixed now!

Jose Nilton Pace wrote:
Pramod, i can reproduce the test case and you too, follow these steps and, of course, the solution.
1.Open a CMD prompt and execute telnet with the command: telnet 103.41.11.139 8891
2.Open a notepad and write these two commands on it:
TRACE / HTTP/1.1
Host: localhost
TestA: Hello
TestB: World

OPTIONS / HTTP/1.1
Host: localhost

3.Copy one of them at a time and paste in telnet connection (black screen) after paste, press two times return key

You will see the result like this, where the test fail.
HTTP/1.1 200 OK
Connection: close
etc, etc, etc

the solution is ( taking a ride on Daniel's answer below )
uses
  IW.HTTP.Request
 
procedure TIWServerController.IWServerControllerBaseNewSession(aSession: TIWApplication);
begin
   ASession.Data := TIWUserSession.Create(nil, aSession);
 
   { THttpMethod = (hmNone, hmGet, hmPut, hmPost, hmHead); }
   { hmNone = OPTIONS / TRACE / ETC }
   if ASession.Request.HttpMethod = hmNone then begin 
      ASession.Response.Code     := 405;
      ASession.Response.CodeText := 'Not Allowed';
      ASession.Terminate;
   end;
end;

After the changes, repeat the test in telnet prompt.

You will see the result like this, where the test NOT fail.
HTTP/1.1 405 Not Allowed
Connection: close
etc, etc, etc
Pramod Nair

Posts: 105
Registered: 5/21/06
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 7, 2018 8:17 PM   in response to: Jose Nilton Pace in response to: Jose Nilton Pace
Hi Jose
I done like what you mentioned but in the next round perpetration test also got the same volurability
Thanks
Pramod

Jose Nilton Pace wrote:
Pramod, i can reproduce the test case and you too, follow these steps and, of course, the solution.
1.Open a CMD prompt and execute telnet with the command: telnet 103.41.11.139 8891
2.Open a notepad and write these two commands on it:
TRACE / HTTP/1.1
Host: localhost
TestA: Hello
TestB: World

OPTIONS / HTTP/1.1
Host: localhost

3.Copy one of them at a time and paste in telnet connection (black screen) after paste, press two times return key

You will see the result like this, where the test fail.
HTTP/1.1 200 OK
Connection: close
etc, etc, etc

the solution is ( taking a ride on Daniel's answer below )
uses
  IW.HTTP.Request
 
procedure TIWServerController.IWServerControllerBaseNewSession(aSession: TIWApplication);
begin
   ASession.Data := TIWUserSession.Create(nil, aSession);
 
   { THttpMethod = (hmNone, hmGet, hmPut, hmPost, hmHead); }
   { hmNone = OPTIONS / TRACE / ETC }
   if ASession.Request.HttpMethod = hmNone then begin 
      ASession.Response.Code     := 405;
      ASession.Response.CodeText := 'Not Allowed';
      ASession.Terminate;
   end;
end;

After the changes, repeat the test in telnet prompt.

You will see the result like this, where the test NOT fail.
HTTP/1.1 405 Not Allowed
Connection: close
etc, etc, etc
Daniel Fields

Posts: 622
Registered: 11/29/04
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 4, 2018 2:00 AM   in response to: Pramod Nair in response to: Pramod Nair
You should restrict it in ther ServerController's OnNewSession event.

procedure TIWServerController.IWServerControllerBaseNewSession(ASession: TIWApplication);
begin
    if (ASession.RunParams.Count >= 0)then
    begin
      ASession.Response.Code := 501;
      ASession.Response.CodeText := 'Not implemented';
      ASession.Terminate('501 Not implemented');
    end
    else
    begin
      ASession.Data := TIWUserSession.Create(nil, ASession);
    end;
end;
Alexandre Machado

Posts: 1,754
Registered: 8/10/13
Re: Arbitrary Methods enabled on s erver
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 7, 2018 11:15 PM   in response to: Pramod Nair in response to: Pramod Nair
Pramod Nair wrote:
In the latest penetration test we got one volurability 'It is observed that the Arbitrary Methods enabled on server'. How can resolve this issue in the intraweb please?

We have already implemented this, as a new feature, in our code base. It should be available in the next IW 14.2.x release.

Kind regards
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02