ZAP – Insecure HTTP Method

Details
Alert ID	90028-6
Alert Type	Active
Status	beta
Risk	Medium
CWE	749
WASC	45
Technologies Targeted	All
Tags	CWE-749 OWASP_2017_A06 OWASP_2021_A05 OWASP_2025_A02 POLICY_DEV_FULL POLICY_PENTEST POLICY_QA_FULL WSTG-V42-CONF-06
More Info	Scan Rule Help

Summary

This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for update capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.

Solution

Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods.

Other Info

See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https://www.restapitutorial.com/lessons/httpmethods.html

References

https://cwe.mitre.org/data/definitions/205.html

Code

org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java

Insecure HTTP Method - PUT

Summary

Solution

Other Info

References

Code