1

I have an web application hosted in IIS 8.5. I would like to disable the insecure http methods(OPTIONS,PUT,DELETE). so to check if the method is disabled or not I am using burp suite.

I have disabled by navigating to Requestfiltering-> HTTPVerbs ->DenyVerbs and added PUT and DELETE in IIS.

when I tried using PUT method in burp suite, it was showing HTTP/1.1 404 Not Found.404 - File or directory not found. my expectation was if a HTTP method is disabled and when we try the method using burpsuite it should be displaying "405 Method Not Allowed".

Aditi Parikh
  • 1,522
  • 3
  • 13
  • 34
subash
  • 4,050
  • 14
  • 51
  • 78
  • where can i find the http error substatus? – subash Sep 26 '17 at 15:55
  • hi i found the error sub status in IIS logs.2017-09-27 13:27:13 53656454764 OPTIONS / - 443 - 54435435435 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10.12;+rv:55.0)+Gecko/20100101+Firefox/55.0 https://blahblahhdhskh.com 404 6 0 155. the last number 404 and sub status 6 indicates the verbs were denied – subash Sep 27 '17 at 14:44

1 Answers1

0

You need to make these settings in the web.config file.

<system.web>
...
  <httpHandlers>
  ... 
    <add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>

For more information, look at the BrutalDev's post

Potti
  • 53
  • 1
  • 8