Create 14.5.1.yaml

Signed-off-by: Hamed Salimian <[email protected]>
OWASP · Oct 16, 2023 · 5336686 · 5336686
1 parent f0bcbbb
commit 5336686
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/templates/14.5.1.yaml b/templates/14.5.1.yaml
@@ -0,0 +1,48 @@
+id: ASVS-4-0-3-V14-5-1
+
+info:
+  name: ASVS 14.5.1 Check
+  author: Hamed Salimian
+  severity: medium
+  classification:
+    cwe-id: CWE-749
+  reference:
+    - https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods.html
+  tags: asvs,14.5.1
+  description: |
+    Verify that the application server only accepts the HTTP methods in use by the application/API, including pre-flight OPTIONS, and logs/alerts on any requests that are not valid for the application context.
+
+http:
+  - method: TRACE
+    path:
+      - "{{BaseURL}}"
+    headers:
+      Host: "{{Hostname}}"
+    extractors:
+      - type: dsl
+        name: "TRACE method is Enabled"
+        dsl:
+          - status_code
+    matchers-condition: and
+    matchers:
+      - type: status
+        negative: true
+        status:
+          - 405
+          - 501
+      - type: regex
+        part: body
+        regex:
+          - '^TRACE \S+ HTTP\/[0-9]\.[0-9]'
+
+  - raw:
+      - |
+        {{to_upper(rand_text_alpha(4))}} {{BaseURL}} HTTP/1.1
+        Host: {{Hostname}}
+    matchers:
+      - type: status
+        name: "CUSTOM method is allowed."
+        negative: true
+        status:
+          - 405
+          - 501