Description
This article explains the illegal HTTP request method and the steps to block it.
Solution
As per the FortiGate, the methods specified below are treated as a legal HTTP request method.
GET, PUT, CONNECT, OPTIONS, OTHERS, POST, HEAD, TRACE, DELETE.
Enable the 'Illegal HTTP Request Method' on the FortiGate GUI to block these attacks.
1. Go to System > Feature Visibility & enable Web Application firewall:
2. Edit the Web Application firewall profile & enable the 'Illegal HTTP Request Method'
Illegal HTTP methods:
1) MKCOL Method.
The MKCOL method allows authors to create collection on the server at a specified URL.
A collection means a logical or physical grouping of resources in a hierarchy.
The most simple example of a collection is a directory.
Collections are also resources, who can contain other collections as well.
The following example uses the MKCOL method to create a directory on the server side called 'test'.
As soon as the attack is triggered, the FortiGate will block the MKCOL attack as per below screenshot refers:
2) SEARCH Method.
The SEARCH method is used to initiate a server-side search.
Unlike the HTTP GET method, which requests that a server return a representation of the resource identified by the effective request URI , the SEARCH method is used by a client to ask the server to perform a query operation over some set of data scoped to the effective request URI.
The following example uses the SEARCH method to find the name of the file called 'Contact' on the server side.
Refer to the FortiGate WAF logs below:
3) MOVE Method.
The MOVE method is used to move or rename files or directories on the server side.
The following example uses the MOVE method to move the file from one directory to another directory on the server-side.
Refer to the FortiGate WAF logs below:
