Are some HTTP verbs really inherently less secure than others?

Question

Someone pointed me to this article

http://resources.infosecinstitute.com/http-verb-tempering-bypassing-web-authentication-and-authorization/

Which seems to be saying that all HTTP verbs other than GET and POST are inherently less secure, and should be disabled in the web server configuration.

It looks to me that the arguments of the article are completely bogus, and are based on an assumption that the underlying web platform performs less stringent checking for other verbs than it does on GET and POST.

I realise that by following the principle of least privilege and only opening up the verbs you need, the attack surface is reduced, but is there really any validity in the argument that some verbs are inherently less secure, and that I should to avoid use of PUT and DELETE in a REST application for instance?

FWIW my platform is ASP.NET with a mixture of web forms and MVC.

Answer 1

I think you're misreading the article.

What it's saying is that there are HTTP Verbs which can be used to bypass the standard security configuration on popular web servers.

Specifically, if you use HTTP GET requests to do more than just retrieve data (eg by using query parameters like http://example.org/auth/root.jsp?cmd=adduser ), and you restrict access to the GET verb but forget to restrict access to the HEAD verb, an attacker can still invoke that URL without being challenged by your access control system.

According to the article, this vulnerability is present in IIS "out of the box".

However, because one of the basic points of REST is that GET does not modify data, a RESTful solution is by definition not affected by this potential vulnerability.