Flow doesn't limit HTTP methods correctly

Severity
Medium
Applies to
Flow
Links
CWE-749

Why This Issue Is Important

Allowing unrestricted HTTP methods can expose your API to potential misuse or abuse. Attackers may exploit unsupported methods to bypass security controls, trigger unexpected behaviors, or gain unauthorized access to resources. For example, TRACE can be used to probe and gather information about the server configuration, which can aid in reconnaissance for further attacks. Additionally, allowing unexpected HTTP methods could enable unauthorized access to modify, delete, or view sensitive data.

How This Issue Is Detected

This issue is detected by evaluating the flow conditions to determine which HTTP methods are allowed. CodeSent checks whether the request.verb domain includes any potentially unsafe methods, such as TRACE, that should not be accepted under normal API use cases. If these methods are allowed without restriction, it indicates a configuration flaw.

How to Fix the Issue

To fix this issue, explicitly define a list of safe and expected HTTP methods for the flow. This can be achieved by setting a condition in the flow like:

<Condition>(request.verb == "GET" or request.verb == "POST" or request.verb == "PUT") and (proxy.pathsuffix == "/some/path")</Condition>