OWASP ASVS 标准是否禁止使用非标准的 HTTP 方法?
Does the OWASP ASVS standard forbid the use of non-standard HTTP methods?
在 owasp 2014 (https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf) 中我们有:
V 11.2 (page 31): Verify that the application accepts only a defined
set of HTTP request methods, such as GET and POST and unused methods
are explicitly blocked.
这是否意味着我们不能使用非标准的 HTTP 方法?如果是,我们可以说 WebDAV 不符合 OWASP ASVS 标准吗?如果答案是否定的,是否有任何正式文件、博客 post 或常见问题解答?
我的理解是,只要您定义接受哪些请求方法并阻止其他所有方法,您就可以使用任何您想要的方法。
only a defined set
与您不能使用 none 标准不同,它说例如如果您不使用 POST 您应该明确阻止 POST
such as GET and POST
此处的 GET 和 POST 是方法示例,并非可用方法的完整列表。
因此请使用适合您需求的方法,但要确认应用程序不接受任何不在可接受请求列表中的请求
快速回答是否定的!我问了 Owasp ASVS 项目负责人 Andrew van der Stock。这是我的问题:
Dear Owasp Asvs project leaders (Daniel & Vanderaj),
I want to know if OWASP ASVS 2014 Level 1 force us to use just
standardized Http Methods(GET,HEAD,POST,PUT,
DELETE,CONNECT,OPTIONS,TRACE) or we can use non-standardized Http
methods too? (by listing them in a document like what
WebDav(https://en.wikipedia. org/wiki/WebDAV) did)
With Respect
然后他回复我:
I think the primary driver is not to worry about which methods are
available, but if they are necessary and safely configured.
Essentially, we are asking for: All methods are denied by default,
except for: A positive set of allowed methods, AND all these methods
are correctly and securely configured
For example, OPTIONS and HEAD are required by Chrome doing pre-flight
CORS checks on AngularJS and other apps, and many apps require PUT and
DELETE. Therefore these methods are necessary. If you use a new
method, such as "EXAMPLE", the idea is that you don't also accept any
other words, such as "RIDICULOUS", and "EXAMPLE" is correctly
configured to be safe.
So if WebDAV is also enabled for whatever reason, it's important to
make sure that it is properly secured. There may be a solid reason for
it to exist (e.g. SharePoint), but to allow anonymous users to
overwrite your site or change things is not okay.
thanks, Andrew
在 owasp 2014 (https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf) 中我们有:
V 11.2 (page 31): Verify that the application accepts only a defined set of HTTP request methods, such as GET and POST and unused methods are explicitly blocked.
这是否意味着我们不能使用非标准的 HTTP 方法?如果是,我们可以说 WebDAV 不符合 OWASP ASVS 标准吗?如果答案是否定的,是否有任何正式文件、博客 post 或常见问题解答?
我的理解是,只要您定义接受哪些请求方法并阻止其他所有方法,您就可以使用任何您想要的方法。
only a defined set
与您不能使用 none 标准不同,它说例如如果您不使用 POST 您应该明确阻止 POST
such as GET and POST
此处的 GET 和 POST 是方法示例,并非可用方法的完整列表。
因此请使用适合您需求的方法,但要确认应用程序不接受任何不在可接受请求列表中的请求
快速回答是否定的!我问了 Owasp ASVS 项目负责人 Andrew van der Stock。这是我的问题:
Dear Owasp Asvs project leaders (Daniel & Vanderaj),
I want to know if OWASP ASVS 2014 Level 1 force us to use just standardized Http Methods(GET,HEAD,POST,PUT, DELETE,CONNECT,OPTIONS,TRACE) or we can use non-standardized Http methods too? (by listing them in a document like what WebDav(https://en.wikipedia. org/wiki/WebDAV) did)
With Respect
然后他回复我:
I think the primary driver is not to worry about which methods are available, but if they are necessary and safely configured.
Essentially, we are asking for: All methods are denied by default, except for: A positive set of allowed methods, AND all these methods are correctly and securely configured
For example, OPTIONS and HEAD are required by Chrome doing pre-flight CORS checks on AngularJS and other apps, and many apps require PUT and DELETE. Therefore these methods are necessary. If you use a new method, such as "EXAMPLE", the idea is that you don't also accept any other words, such as "RIDICULOUS", and "EXAMPLE" is correctly configured to be safe.
So if WebDAV is also enabled for whatever reason, it's important to make sure that it is properly secured. There may be a solid reason for it to exist (e.g. SharePoint), but to allow anonymous users to overwrite your site or change things is not okay.
thanks, Andrew