The A10 Networks ADC, when used for load-balancing web servers, must not allow the HTTP TRACE and OPTIONS methods.

Description

<VulnDiscussion>HTTP offers a number of methods that can be used to perform actions on the web server. Some of these HTTP methods can be used for nefarious purposes if the web server is misconfigured. The two HTTP methods used for normal requests are GET and POST, so incoming requests should be limited to those methods. Although the HTTP TRACE method is useful for debugging, it enables cross-site scripting attacks. By exploiting certain browser vulnerabilities, an attacker may manipulate the TRACE method. The HEAD, GET, POST, and CONNECT methods are generally regarded as safe. For a WAF template, the GET and POST are the default values and are the safest options, so restriction the methods to GET and POST is recommended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>