In owasp 2014 (https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf) we have:
V 11.2 (page 31): Verify that the application accepts only a defined set of HTTP request methods, such as GET and POST and unused methods are explicitly blocked.
Does it mean we cannot use non-standard HTTP methods? If yes, can we say that WebDAV doesn't conform to OWASP ASVS standard? If the answer is no, is there any formal document, blog post or a FAQ for this?
The quick answer is NO! I asked Andrew van der Stock the Owasp ASVS project leader. This is my question:
Dear Owasp Asvs project leaders (Daniel & Vanderaj),
I want to know if OWASP ASVS 2014 Level 1 force us to use just standardized Http Methods(GET,HEAD,POST,PUT, DELETE,CONNECT,OPTIONS,TRACE) or we can use non-standardized Http methods too? (by listing them in a document like what WebDav(https://en.wikipedia. org/wiki/WebDAV) did)
With Respect
And he replied me:
I think the primary driver is not to worry about which methods are available, but if they are necessary and safely configured.
Essentially, we are asking for: All methods are denied by default, except for: A positive set of allowed methods, AND all these methods are correctly and securely configured
For example, OPTIONS and HEAD are required by Chrome doing pre-flight CORS checks on AngularJS and other apps, and many apps require PUT and DELETE. Therefore these methods are necessary. If you use a new method, such as "EXAMPLE", the idea is that you don't also accept any other words, such as "RIDICULOUS", and "EXAMPLE" is correctly configured to be safe.
So if WebDAV is also enabled for whatever reason, it's important to make sure that it is properly secured. There may be a solid reason for it to exist (e.g. SharePoint), but to allow anonymous users to overwrite your site or change things is not okay.
thanks, Andrew