Feature: OPTIONSBLEED

[drwetter]

Description

... would be great to get added. Check doesn't seem to be rocket science, to me.

Links/Info

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
https://nvd.nist.gov/vuln/detail/CVE-2017-9798

[sullo]

Interesting bug. The only idea I can think of to check for this would be to assume that all actual HTTP methods would match /^[A-Z]+$/. Anything in the Allow header that doesn't match that pattern would have to alert.

The other alternative would be to have a list of possible methods and call out anything not in that list. It would be reasonable with normal HTTP methods and WebDAV methods, but I'm not sure what others exist. Perhaps alerting on "weird" methods is desirable anyway? In any case, this would be more false-positive prone IMO.

Thoughts?

[drwetter]

Interesting bug. The only idea I can think of to check for this would be to assume that all actual HTTP methods would match /^[A-Z]+$/. Anything in the Allow header that doesn't match that pattern would have to alert.

Sounds good. I believe one comma should be added and the pattern seems to require extra care: Allow: POST,OPTIONS,GET,HEAD should be ok (including maybe some spaces). However others are not ok: (taken from https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html): Allow: ,GET,,,POST,OPTIONS,HEAD,, or Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,,

Maybe I am missing something but the alternative you suggested doesn't sound so difficult:

Standard methods: GET, POST, HEAD, PUT, PATCH, DELETE, TRACE, OPTIONS, CONNECT (~from old HTTP.1.1 standard)
WebDAV: PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
In addition: https://datatracker.ietf.org/doc/html/rfc7237#section-3

[iasdeoupxe]

https://github.com/hannob/snallygaster/blob/88873b4e427f495dc8ea12a7994ed2326c6781e1/snallygaster#L444-L472 could be also useful.