Application accepts arbitrary methods

Document ID : KB000094901
Last Modified Date : 07/05/2018
Show Technical Document Details
Introduction:
It has been observed that the OPTIONS http method is accepted by  application.
Question:
It has been observed that the OPTIONS http method is accepted by application. Using Burpsuite, craft a request using the OPTIONS HTTP method. It can be seen that the method has been enabled on the server and gives us the list of other methods enabled on the server.
Environment:
All Versions of SSG
Answer:
The OPTIONS method only tells you which methods are available. Its not a vulnerability as much as its a shortcut to trying out all the methods one by one. As long as we have TRACE disabled, we are fine.