From c6245cef64c02d8a8b098fa482bd94d6ed0d1891 Mon Sep 17 00:00:00 2001 From: Nathan Aw Date: Fri, 8 Nov 2019 23:44:31 +0800 Subject: [PATCH] Create 0xa10-multiple-verbs-exposure.md --- 2019/en/src/0xa10-multiple-verbs-exposure.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 2019/en/src/0xa10-multiple-verbs-exposure.md diff --git a/2019/en/src/0xa10-multiple-verbs-exposure.md b/2019/en/src/0xa10-multiple-verbs-exposure.md new file mode 100644 index 000000000..dbc5aa043 --- /dev/null +++ b/2019/en/src/0xa10-multiple-verbs-exposure.md @@ -0,0 +1,6 @@ +By default, APIs do not restrict/limit the HTTP Verbs/Methods by which they can be accessed. In rare occasions, depending on how secure the server was or is setup, a sophisticated attacker may be able to use HEAD to leak information/secrets on the server. + +API developers should ensure that APIs they build can only be accessed by the prescribed and specified HTTP verbs. All other verbs should not be permitted. + +Nathan Aw +(Singapore)