Insecure HTTP methods enabled - Scala

Insecure HTTP methods enabled - Scala

Need

Secure HTTP method configuration

Context

  • Usage of Scala 2.12 for developing scalable and high-performance applications
  • Usage of play.api.mvc._ for handling HTTP requests and responses in Play Framework
  • Usage of HomeController as a controller for handling requests and responses

Description

Non compliant code

        # conf/routes
GET     /                           controllers.HomeController.index
POST    /                           controllers.HomeController.submit
PUT     /                           controllers.HomeController.update
DELETE  /                           controllers.HomeController.remove
TRACE   /                           controllers.HomeController.trace
        
        

The above code is vulnerable because it enables HTTP methods such as TRACE, PUT, and DELETE.

The TRACE method is used for diagnostic purposes and can be exploited to perform cross-site tracing (XST) attacks. XST can be used to bypass security measures and steal sensitive information.

The PUT and DELETE methods are used to upload and delete resources respectively. If these methods are enabled without proper authorization checks, an attacker can upload malicious files or delete important resources.

In the provided code, all HTTP methods are enabled for the same route ("/") and handled by the same controller (HomeController). This means that any client can send a request with any of these methods to the server. This is a security risk as it allows an attacker to exploit these methods for malicious purposes.

Steps

  • Disable or restrict the use of insecure HTTP methods (TRACE, PUT, DELETE) in the application.
  • Remove or comment out the routes that enable the insecure HTTP methods in the application's route configuration file.
  • Implement proper access controls and authentication mechanisms to prevent unauthorized access to sensitive functionality.
  • Regularly update and patch the application and its dependencies to ensure the latest security fixes are applied.
  • Perform security testing and code reviews to identify and address any other potential vulnerabilities in the application.

Compliant code

        # conf/routes
GET     /                           controllers.HomeController.index
POST    /                           controllers.HomeController.submit
# PUT     /                           controllers.HomeController.update
# DELETE  /                           controllers.HomeController.remove
# TRACE   /                           controllers.HomeController.trace
        
        

The original code had HTTP methods TRACE, PUT, and DELETE enabled in the routes configuration file. These methods can potentially allow an attacker to include and/or delete files, or perform cross-site tracing attacks.

The updated code comments out the routes that enable these insecure HTTP methods. This effectively disables these methods in the application, mitigating the risk of potential attacks.

In addition to this, it is recommended to implement proper access controls and authentication mechanisms to prevent unauthorized access to sensitive functionality. Regularly updating and patching the application and its dependencies to ensure the latest security fixes are applied is also crucial.

Finally, performing security testing and code reviews can help identify and address any other potential vulnerabilities in the application.

References