Detectify
Knowledge Base

Back to Knowledge Base

Support Center

OPTIONS Disclosure

Last Updated: Apr 21, 2017 11:55PM CEST

The web server discloses its supported HTTP methods. This itself is not a security vulnerability, but the gathered information can aid an attacker in further attacks by finding unusual configurations.

What can happen?

Options are a diagnostic method that returns a message useful for debugging and similar tasks. This cannot directly be used for anything evil and is not classified as a vulnerability. However, it might be used by an attacker to find unusual setups and therefore aid in further attacks.

Example

$ curl -X OPTIONS http://example.org -i
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00 GMT
Expires: Thu, 20 Oct 2016 11:45:00 GMT
Server: EOS (lax004/2813)
x-ec-custom-error: 1
Content-Length: 0

Under Allow we can see that this specific page accepts OPTIONS, GET, HEAD and POST requests.

Remediation

There are instances where this request is actually needed. This is most often the case in certain REST APIs. However, those are in minority compared to every single page, so the default behavior should be to not allow OPTIONS.

The remediation for this is to simply disallow OPTIONS everywhere, and when needed manually enable it for a limited set of pages.

Resources

support@detectify.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete