Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3752

Allowing both safe and unsafe HTTP methods is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure allowing safe and unsafe HTTP methods is safe here.
    • Highlighting:
      Hide

      @RequestMapping...

      Show
      @RequestMapping...
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java, Python
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-352
    • OWASP:
      A5
    • SANS Top 25:
      Insecure Interaction Between Components
    • FindSecBugs:
      SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING

      Description

      An HTTP method is safe when used to perform a read-only operation, such as retrieving information. In contrast, an unsafe HTTP method is used to change the state of an application, for instance to update a user's profile on a web application.

      Common safe HTTP methods are GET, HEAD, or OPTIONS.
      Common unsafe HTTP methods are POST, PUT and DELETE.

      Allowing both safe and unsafe HTTP methods to perform a specific operation on a web application could impact its security, for example CSRF protections are most of the time only protecting operations performed by unsafe HTTP methods.

      Ask Yourself Whether

      • HTTP methods are not defined at all for a route/controller of the application.
      • Safe HTTP methods are defined and used for a route/controller that can change the state of an application.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      For all the routes/controllers of an application, the authorized HTTP methods should be explicitly defined and safe HTTP methods should only be used to perform read-only operations.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5819 Language-Specification Active Unassigned
          2.
          Python RSPEC-6154 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: