| Details | |
|---|---|
| Alert ID | 90028-1 |
| Alert Type | Active |
| Status | beta |
| Risk | Medium |
| CWE | 749 |
| WASC | 45 |
| Technologies Targeted | All |
| Tags |
CWE-749 OWASP_2017_A06 OWASP_2021_A05 OWASP_2025_A02 POLICY_DEV_FULL POLICY_PENTEST POLICY_QA_FULL WSTG-V42-CONF-06 |
| More Info |
Scan Rule Help |
Summary
The insecure HTTP method [DELETE] is enabled on the web server for this resource. Depending on the web server configuration, and the underlying implementation responsible for serving the resource, this might or might not be exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. The CONNECT method can be used by a web client to create an HTTP tunnel to third party websites or services.