From A10 Networks ADC ALG Security Technical Implementation Guide
Part of SRG-NET-000401-ALG-000127
Associated with: CCI-001310
HTTP offers a number of methods that can be used to perform actions on the web server. Some of these HTTP methods can be used for nefarious purposes if the web server is misconfigured. The two HTTP methods used for normal requests are GET and POST, so incoming requests should be limited to those methods.
If the ADC is not used to load balance web servers, this is not applicable. Interview the device administrator to determine which WAF template is used for web servers. Review the device configuration. The following command displays the configuration and filters the output on the WAF template section: show run | sec slb template waf If there is no WAF template, this is a finding. If the WAF template allows the HTTP TRACE method, this is a finding.
The following commands configure the ADC to restrict the HTTP methods: slb template waf [template-name] allowed-http-methods GET POST HEAD PUT DELETE CONNECT PURGE Note: GET and POST are the default values and are the safest choices. Restricting the methods to GET and POST is recommended.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer