How to disable the use of verb tunneling using such headers or query parameters in .NET?

Question

I'm failing a security scan that is saying my .NET application is allowing verb tunneling and the recommendation is to disable this. The application needs to accept PUT and DELETE headers as well as GET and POST.

The scan is sending these headers to an endpoint that accepts POSTs:

X-HTTP-METHOD: PUT
X-HTTP-Method-Override: PUT
X-METHOD-OVERRIDE: PUT

I've done a lot of researching and am having a hard time finding a way to "disable" verb tunneling. It seems that these methods need to be allowed, not the other way around.

For example, in .NET the HttpMethodOverrideExtensions method is what allows these types of headers. I'm see multiple tutorials on how to allow the three headers posted above.

Am I correct in my response saying the application by default does not allow verb tunneling, as the methods to allow it are not in the application's code base?

Answer 1

I only have experience resolving this issue in Java, but I hope my solution has some translation to .NET that helps you. It looks like you're getting the issue "Often Misused: HTTP Method Override" reported by Fortify's WebInspect scanner. To resolve this for my team I implemented a filter that listens for our bad headers (x-http-method, x-http-method-override, x-method-override), sets status to 405 and breaks if they are found. See code below. I know this is not the most graceful solution, but it is the only one I found that satisfies the scan (throwing an error and booting the user did not satisfy).

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest hsReq = (HttpServletRequest) req;
    HttpServletResponse hsRes = (HttpServletResponse) res;

    hsRes.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
    hsRes.setHeader("Pragma", "no-cache");
    hsRes.setDateHeader("Expires", 0);
    hsRes.setHeader("X-XSS-Protection", "1; mode=block");
    hsRes.addHeader("X-Content-Type-Options", "nosniff");
    hsRes.setHeader("Content-Security-Policy", "frame-ancestors 'none'; default-src *; style-src 'self' http://* 'unsafe-inline'; script-src 'self' http://* 'unsafe-inline' 'unsafe-eval'");
    hsRes.setHeader("X-FRAME-OPTIONS", "DENY");
    hsRes.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains;");

    // This resolves "Often Misused: HTTP Method Override"
    hsRes.setHeader("Access-Control-Allow-Methods", "GET, POST");
    String methodParam = hsReq.getParameter("_method");
    if (methodParam != null){
        LOG.error("\n Bad actor is attempting to use HTTP Method Tunneling. \n");
        hsRes.reset();
        hsRes.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
        return;
    }
    String xhmHeader = hsReq.getHeader("x-http-method");
    String xhmoHeader = hsReq.getHeader("x-http-method-override");
    String xmoHeader = hsReq.getHeader("x-method-override");
    if ((xhmHeader != null) || (xhmoHeader != null) || (xmoHeader != null)){
        LOG.error("\n Bad actor is attempting to use HTTP Method Tunneling. \n");
        hsRes.reset();
        hsRes.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
        return;
    }

    chain.doFilter(req, res);
}

Answer 2

I found this solution on another stackoverflow question:

https://stackoverflow.com/questions/66032991/how-do-i-ensure-that-x-http-method-headers-are-ignored

In short, this is the most accepted answer on that question where this is added to your web.config:

 <system.webServer>
    ...
 <security>
      <requestFiltering>
        <requestLimits>
          <headerLimits>
            <add header="X-Http-Method-Override" sizeLimit="0" />
            <add header="X-Method-Override" sizeLimit="0" />
            <add header="X-HTTP-Method" sizeLimit="0" />
          </headerLimits>
        </requestLimits>
        ...
      </requestFiltering>
    </security>
   ...
  </system.webServer>