How to disable OPTIONS and TRACE vulnerabilities in the TIBCO Streaming Web Server Request Adapter
Article ID: KB0073363
Updated On:
| Products | Versions |
|---|---|
| TIBCO Streaming | 10.x |
Description
Vulnerability assessment and penetrations testing identifies any web service that responds to HTTP methods "OPTIONS" and "TRACE" as insecure since these reveal details about the web service implementation.
How can the response block these methods?
How can the response block these methods?
Issue/Introduction
Application design guidance
Resolution
The TIBCO® Streaming Web Server Request adapter does not respond directly to the web request, but provides information to the Web Server Response adapter.
From the Web Server Request adapter these methods appear in the input tuple as field "Method", with values "TRACE" or "OPTIONS". Your application should check for these field values in the tuple and send a response using the Web Server Response adapter with a "status" value of "405" which means "Method Not Allowed". To be perfectly compliant with W3 RFC-2616 in addition to the "405" status include a minimal "Data" field value and the header "Allow" with a list of valid methods for the requested resource.
From the Web Server Request adapter these methods appear in the input tuple as field "Method", with values "TRACE" or "OPTIONS". Your application should check for these field values in the tuple and send a response using the Web Server Response adapter with a "status" value of "405" which means "Method Not Allowed". To be perfectly compliant with W3 RFC-2616 in addition to the "405" status include a minimal "Data" field value and the header "Allow" with a list of valid methods for the requested resource.
Additional Information
RFC: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html section: 10.4.5
Feedback
Yes
No
Powered by
