HTTP OPTIONS Vulnerability – IIS
- Former user (Deleted)
Analytics
Written by Spencer Malmad
Overview
Using Nexpose we have identified a number of vulnerabilities and this document will show out to remediate the HTTP OPTIONS METHOD vulnerability.
For further information see https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
Disable HTTP OPTIONS Method in IIS
The following Steps disable the HTTP OPTIONS Method on Windows Server 2008r2, 2012, 2012R2 as well as 2016.
Effectively the following setting is made in the global web.config file:
C:\inetpub\wwwroot\web.config:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<requestFiltering>
<verbs>
<add verb="OPTIONS" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
STEPS:
Logged in with administrative rights to the Windows Server:
Launch Start -> Run -> enter Inetmgr, hit <enter>.
You will be prompted with the UAC: Click “Yes”.
The following will display:
Navigate to “<IIS Servername> -> “Request Filtering”
The following will display:
Open Tab “HTTP VERBS”. The following will appear:
Right Click in white space and choose “Deny Verb” from the drop down.
Enter the text “OPTIONS”, Click “OK”.