Description
This article describes a security risk named: "Undefined CVE, HTTP OPTIONS Method Enabled".
Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.
Scope
Fortinet Products supporting HTTP OPTIONS Method in HTTP servers.
Solution
If HTTP OPTIONS return method only contains the following methods:
1) POST
2) OPTIONS
3) HEAD
4) GET
The result does not reveal any security concerns as these methods are generally supported in all HTTP servers.
For this scan report item itself, it can be treated as a false positive.
In order to disable HTTP OPTIONS method, there is no special command available and scheduled.
To specially block the HTTP OPTIONS request, can apply the following custom IPS signature:
F-SBID( --name "HTTP.OPTIONS.Method.Request"; --service HTTP; --flow
from_client; --pattern "OPTIONS "; --context uri; --no_case; --within
8,context; )
