During our hardening process of our BitBucket Data Center our Security scanning tool complaining about the REST API that is exposing PUT functions.
POST /account?_method=PUT HTTP/1.1
Referer: https://<<BB URL>>...TRUNCATED...
Report Date: 1/24/2019 3
Date: Wed, 23 Jan 2019 17:17:21 GMT
File Names: https://<<BB-URL>>:443/account?_method=PUT
In order to protect access to various resources, web servers may be configured to prevent the usage of specific HTTP verbs.
However, some web frameworks provide a way to override the HTTP method in the request by supplying specific HTTP
request headers. This feature is typically used when a web or proxy server restricts certain verbs, but the application needs to
use them, especially in RESTful services. It is possible for a malicious user to take advantage of this feature to bypass HTTP
verbs restrictions implemented on a server. Doing so may allow the attacker to perform unintended actions on protected
resources in the web application.
The attack request uses a trusted HTTP verb such as GET or POST, but adds request headers such as X-HTTP-Method, XHTTP-
Method-Override, X-Method-Override, or a query parameter such as _method to provide a restricted verb such as PUT
or DELETE. Such a request is interpreted by the target application using the verb in the request header instead of the actual
Attackers may leverage this vulnerability to add, edit or delete protected resources on the server-side of a web application.
Anyway we can make this secure and disable the use of verb tunneling using such headers or query parameter? Any help from Atlassian team or security experts will be appreciated.
Hello Atlassian Team,
I am still not able to create ticket and need help with Bitbucket security scan. Please help create ticket for above issue/question.
If you need details on who others are having support creation issue go to: https://community.atlassian.com/t5/Confluence-discussions/Can-t-contact-Atlassian-Support/td-p/726938
Hello folks! To the member of organizations who are still running their Atlassian applications on the server, we are on the side of the bridge, and if we need to sail the boat with confidence either...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events