ZAP – Insecure HTTP Method

Details
Alert ID	90028-4
Alert Type	Active
Status	beta
Risk	Medium
CWE	749
WASC	45
Technologies Targeted	All
Tags	CWE-749 OWASP_2017_A06 OWASP_2021_A05 OWASP_2025_A02 POLICY_DEV_FULL POLICY_PENTEST POLICY_QA_FULL WSTG-V42-CONF-06
More Info	Scan Rule Help

Summary

The insecure HTTP method [CONNECT] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components.

Solution

Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods.

Other Info

The CONNECT method was used to establish a socket connection to [www.example.com], via the web server.

References

https://cwe.mitre.org/data/definitions/205.html

Code

org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java

Insecure HTTP Method - CONNECT

Summary

Solution

Other Info

References

Code