Unsafe HTTP methods
Mobile applications send various types of requests to their servers which traverse over a network. Some requests are of HTTP type. They perform functions like requesting resources, gaining access, terminating a user session. Whether a request gets served or not depends on how the server is configured. It is possible to decide what requests shall be served and what shall be ignored. Let’s have an example to see how an attacker may use an HTTP request to inflict damage.
An attacker manages to intercept a mobile app’s communication with its backend server. He manages to steal the username and password and gains access to the server. Then, he sends an ‘HTTP delete’ request. These requests perform the delete operation for the specified resource. The server is configured to accept and process all the requests originating at authenticated sources. The request is executed, and a file containing critical data is deleted from the server.
The solution is to block all the HTTP methods that are not needed for a legitimate purpose. The server shall process only the requests that are necessary for the application’s smooth functioning. This is one way to ensure that potential vulnerabilities are kept to minimal.