描述
In order to protect access to various resources, web servers may be configured to prevent the usage of specific HTTP verbs. However, some web frameworks provide a way to override the HTTP method in the request by supplying specific HTTP request headers. This feature is typically used when a web or proxy server restricts certain verbs, but the application needs to use them, especially in RESTful services. It is possible for a malicious user to take advantage of this feature to bypass HTTP verbs restrictions implemented on a server. Doing so may allow the attacker to perform unintended actions on protected resources in the web application.
解决方案
nginx
在server下添加
set $method $request_method;
proxy_method $method;
例如:
server{
set $method $request_method;
proxy_method $method;
}
思路
默认只用request的进行请求,无视header
其他思路,也可以移除header
使用nginx模块headers-more-nginx-module移除
X-Http-Method-Override
X-Method-Override
X-HTTP-Method
这3个header
参考
https://vulncat.fortify.com/en/detail?id=desc.dynamic.xtended_preview.often_misused_http_method_override
https://stackoverflow.com/questions/66032991/how-do-i-ensure-that-x-http-method-headers-are-ignored
https://docs.uipath.com/installation-and-upgrade/lang-zh_CN/docs/disabling-the-http-method-override-request
http://fandry.blogspot.com/2012/03/x-http-header-method-override-and-rest.html
https://mdnice.com/writing/09441b48b09a4e4f9db64203c95ce7f9