how to disable insecure http methods(OPTIONS,PUT,DELETE)

iis-8 http-put requestfiltering
subash picture subash · Sep 26, 2017 · Viewed 7.3k times · Source

I have an web application hosted in IIS 8.5. I would like to disable the insecure http methods(OPTIONS,PUT,DELETE). so to check if the method is disabled or not I am using burp suite.

I have disabled by navigating to Requestfiltering-> HTTPVerbs ->DenyVerbs and added PUT and DELETE in IIS.

when I tried using PUT method in burp suite, it was showing HTTP/1.1 404 Not Found.404 - File or directory not found. my expectation was if a HTTP method is disabled and when we try the method using burpsuite it should be displaying "405 Method Not Allowed".

Answer

Potti picture Potti · Nov 9, 2017

You need to make these settings in the web.config file.

<system.web>
...
  <httpHandlers>
  ... 
    <add path="*" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
    <add path="*" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>

For more information, look at the BrutalDev's post

Related questions

IIS_IUSRS and IUSR permissions in IIS8

I've just moved away from IIS6 on Win2003 to IIS8 on Win2012 for hosting ASP.NET applications. Within one particular folder in my application I need to Create & Delete files. After copying the files to the new server, I …

Read More
HTTP Error 500.19 and error code : 0x80070021

I have a simple webAPI build by Visual Studio 2013. It works well when I run it from VS13 but when I copy the project in local IIS it gives me the following error. HTTP Error 500.19 - Internal Server Error The …

Read More
WCF on IIS8; *.svc handler mapping doesn't work

I'm trying to get a wcf service running in IIS8 on 2012 build 8400. When installing the web role the wcf stuff (under 3.51) wasn't to be found like in 2008. When installed the svc handler mapping was missing, so i did a: %windir%\…

Read More