It's all about the answers!

Ask a question

HTTP OPTIONS method is supported in CLM applications


Krzysztof Kaźmierczyk (7.4k373103) | asked Nov 19 '15, 3:28 a.m.
The web server replies to requests using the HTTP OPTIONS method. Usually, this method only serves for diagnostic purposes and returns the HTTP methods supported by the web server. As can be seen from the server response below, the underlying web or application server supports the following HTTP methods: GET, HEAD, POST, and OPTIONS.

curl -X OPTIONS -I -k https://192.168.1.4:9443/ccm/web/_js/dijit/       
HTTP/1.1 200 OK                                                         
Server: Apache-Coyote/1.1                                               
Cache-Control: private                                                  
Expires: Thu, 01 Jan 1970 01:00:00 CET                                  
Allow: GET, HEAD, POST, OPTIONS                                         
Content-Length: 0 
                                                      
Date: Thu, 02 Jul 2015 13:29:04 GMT                                     
Threat                                                                  


An attacker can use the OPTIONS method to gather information and to adapt his further procedure.

2 answers



permanent link
Krzysztof Kaźmierczyk (7.4k373103) | answered Nov 19 '15, 3:30 a.m.
Some security people think that OPTIONS assist attackers by telling them which HTTP methods are supported, but it does seem you could just try the methods and see what errors come back.

Anyone can try the methods one by one to achieve the same result as an OPTIONS request.  So if we do disable OPTIONS, we are slowing down but not preventing attackers.

Disabling OPTIONS will not make the product in any way safer, but it could cause other issues with the mechanics and work flow of CLM applications.  Therefore it is not a plan to disable it.

permanent link
Geoffrey Clemm (30.1k33035) | answered Nov 21 '15, 10:47 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Just for interest's sake, did someone actually raise this as an issue?   I've never heard of anyone with a knowledge of HTTP propose that support for the OPTIONS request is a potential security issue.

Comments
Krzysztof Kaźmierczyk commented Nov 30 '15, 11:32 a.m.

Yes, we had one of the customers asking for an advice regarding that.


Geoffrey Clemm commented Dec 02 '15, 1:15 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

If it ever arises again, I would just (politely :-) challenge their assertion that "some security people think OPTIONS support attackers".   I personally do not believe there are any such people (:-).

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.