VERB TAMPERING

Feature Value
Type Detection
Risk -
Covered by Agent

HTTP specification includes request methods other than the standard GET and POST requests. A standards-compliant web server may respond to these alternative methods in ways not anticipated by developers.

More information

How to solve it

The right approach to secure a JAVA EE is to remove all the <http-method> elements from this policy, which simply applies this rule to all the HTTP methods, but if you still want to restrict access to a specific method, then you need to set up two policies as detailed below.

<security-constraint>
	<web-resource-collection>
		<web-resource-name>site</web-resource-name>
		<url-pattern>/*</url-pattern>
		<http-method>GET</http-method>
	</web-resource-collection>
	...
</security-constraint>
<security-constraint>
	<web-resource-collection>
		<web-resource-name>site</web-resource-name>
		<url-pattern>/*</url-pattern>
	</web-resource-collection>
	...
</security-constraint>

The first policy denies a GET request to access and the second policy denies all requests.