OPTIONS Disclosure

The web server discloses its supported HTTP methods. This itself is not a security vulnerability, but the gathered information can aid an attacker in further attacks by finding unusual configurations.

What can happen?

Options are a diagnostic method that returns a message useful for debugging and similar tasks. This cannot directly be used for anything evil and is not classified as a vulnerability. However, it might be used by an attacker to find unusual setups and therefore aid in further attacks.

Example

$ curl -X OPTIONS http://example.org -i
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Thu, 13 Oct 2016 11:45:00 GMT
Expires: Thu, 20 Oct 2016 11:45:00 GMT
Server: EOS (lax004/2813)
x-ec-custom-error: 1
Content-Length: 0

Under Allow we can see that this specific page accepts OPTIONS, GET, HEAD and POST requests.

Remediation

There are instances where this request is actually needed. This is most often the case in certain REST APIs. However, those are in minority compared to every single page, so the default behavior should be to not allow OPTIONS.

The remediation for this is to simply disallow OPTIONS everywhere, and when needed manually enable it for a limited set of pages.

Resources