HTTP OPTIONS and Default page vulnerabilities

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

Penetration tools may alert if IIS server is accepting requests with HTTP OPTIONS method. This is because the response to these requests may reveal what other methods are supported by the web server.

 

Follow the steps below to disable OPTIONS method.

  1. Open IIS Manager
  2. Click the server name
  3. Double click on Request Filtering
  4. Go to HTTP Verbs tab
  5. On the right side, click Deny Verb
  6. Type OPTIONS. Click OK

Nedim_0-1593978360292.png

 

 

Penetration tools may also raise an alarm if the default IIS page is still available in your server. This page comes by default when you install Web Server role.

 

Follow the steps below to disable it so this vulnerability don’t come up in the reports anymore.

  1. Open IIS Manager
  2. Click the server name
  3. Double click on Default Document
  4. On the right side, click “Disable”

Nedim_1-1593978360298.png

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.