ASP.NET potential HTTP Verb Tampering
Description
The web.config file contains Location sections with authorization rules that specify HTTP verbs using the verbs attribute. This configuration is vulnerable to HTTP verb tampering because it only applies security constraints to the explicitly listed HTTP methods (e.g., GET, POST). Attackers can bypass these restrictions by using alternative HTTP methods (such as HEAD, PUT, DELETE, or OPTIONS) that are not included in the verbs list. Authorization rules should apply to all HTTP methods unless there is a specific, well-justified reason to limit them.
Remediation
Remove the verbs attribute from all allow and deny elements within the authorization section. This ensures that authorization rules apply uniformly to all HTTP methods, preventing bypass attempts. Review all Location sections in your web.config file and update them accordingly.
Secure configuration example:
<location path="Admin.aspx">
<system.web>
<authorization>
<allow users="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
If you have a legitimate business requirement to allow different users access based on HTTP methods, implement method-level authorization checks within your application code rather than relying solely on web.config settings. Additionally, consider disabling unused HTTP methods at the web server level to reduce the attack surface.