Enabling HTTP verb permissions

Verb tampering is an attack that exploits vulnerabilities in HTTP verbs authentication and access control mechanisms. To mitigate verb tampering in your web server, configure the web server's HTTP verb permissions to limit access to only selected HTTP verbs.

About this task

Hypertext transfer protocol provides a list of methods that you can use to perform actions on a web server. Verb tampering vulnerabilities can occur when security constraints that specify HTTP verbs allow more access than intended.

In Java™ Platform, Enterprise Edition version 7 or later, you can limit access to only permitted HTTP verbs by configuring the web application deployment descriptor. However, the required web application deployment descriptor configuration is not supported by the Java Platform, Enterprise Edition version that the IBM® Cúram Social Program Management application currently supports. As an alternative solution, you can configure the web server in your Social Program Management application deployment environment to permit only required HTTP verbs. Use the following procedure to configure both IBM HTTP Server and Oracle HTTP Server.

Procedure

  • Use the following steps to enable HTTP verb permissions by using IBM HTTP Server as a gateway or filter:
    1. Check that the application is working correctly and all pages load and work as expected:
      • In a web browser, navigate to your applications URLs and inspect the network panel.
    2. Log on to the web server and locate the IBM HTTP Server home directory, for example, /opt/IBM/HTTPServer.
    3. In the $IHS_HOME/conf.d/ directory, edit the custom_ihs_perf.conf file and insert configuration example 1 from the example that follows this procedure.
    4. In the $IHS_HOME/conf.d/ directory, edit the custom_ssl.conf file and insert configuration example 2 from the example that follows this procedure.
    5. To restart the IBM HTTP Server, enter the following commands: 
      /opt/IBM/HTTPServer/bin/apachectl stop
/opt/IBM/HTTPServer/bin/apachectl start
    6. Recheck that the application is working correctly, and that all pages load and work as previously.
    7. Check that nonpermitted verbs are blocked from accessing the application.
  • Use the following steps to enable HTTP verb permissions by using Oracle HTTP Server as a gateway or filter:
    1. Check that the application is working correctly and all pages load and work as expected:
      • In a web browser, navigate to your applications URLs and inspect the network panel.
    2. Log on to the web server and locate the Oracle HTTP Server home directory, for example, /home/oracle/Oracle/Middleware/HTTP_Oracle_Home.
    3. In the $OHS_HOME/user_projects/domains/ohs_{domain}/config/fmwconfig/components/OHS/ohs1/ directory, edit the moduleconf/custom_ohs_perf.conf file and insert configuration example 1 from the example that follows this procedure.
    4. In the $OHS_HOME/user_projects/domains/ohs_{domain}/config/fmwconfig/components/OHS/ohs1/ directory, edit the ssl.conf file and insert configuration example 2 from the example that follows this procedure.
    5. To log on as the Oracle user, enter the following command: 
      su - oracle
    6. To restart the Oracle HTTP Server, enter the following commands: 
      $OHS_HOME/user_projects/domains/ohs_{machine_domain}/bin/stopComponent.sh ohs1
$OHS_HOME/user_projects/domains/ohs_{machine_domain}/bin/startComponent.sh ohs1
    7. Recheck that the application is working correctly, and that all pages load and work as previously.
    8. Check that nonpermitted verbs are blocked from accessing the application.

Example

Configuration example 1
Configuration example 1 works as shown in the following description:
  1. Loads the Apache mod_rewrite module that is available in IBM HTTP Server and Oracle HTTP Server, if it is not loaded.
  2. Enables the Rewrite Engine, signifying a code block to enable rewrite.
  3. Applies an If condition on the Request method if it does not match (!) the Regex expression that is denoted by the string between the start (^) and end ($) delimiters, in this case the GET, POST, PUT, DELETE, or OPTIONS verbs.
  4. If the condition is true, in that it does not match the condition HTTP verbs on the matching Regex url (.* = all URLs), send a 403 Forbidden response ( [F] ) while also using the pass-through flag ([PT] ) to overwrite any IBM WebSphere® Application Server plug-in.
```
<IfModule !mod_rewrite.c>
    LoadModule rewrite_module {path_to_modules}/mod_rewrite.so
</IfModule>
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} !^(GET|POST|PUT|DELETE|OPTIONS)$
    RewriteRule .* - [PT,F]
</IfModule>
```
Configuration example 2
Configuration example 2 ensures that the mod_rewrite rules also act in https protocol and not just in http protocol. 

```
    RewriteEngine On
    RewriteOptions Inherit
```
Insert the previous example in the block that contains the following code:
```
<VirtualHost *:443>
  ...
</VirtualHost>
```