Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,467,920
Community Members
 
Community Events
177
Community Groups

BitBucket- Often Misused: HTTP Method Override

Edited

During our hardening process of our BitBucket Data Center our Security scanning tool complaining about the  REST API that is exposing PUT functions.

 

Attack Request:

POST /account?_method=PUT HTTP/1.1
Referer: https://<<BB URL>>...TRUNCATED...
Report Date: 1/24/2019 3

Attack Response:
HTTP/1.1 200
Date: Wed, 23 Jan 2019 17:17:21 GMT
Content-Typ...TRUNCATED...

File Names: https://<<BB-URL>>:443/account?_method=PUT

Summary:

In order to protect access to various resources, web servers may be configured to prevent the usage of specific HTTP verbs.
However, some web frameworks provide a way to override the HTTP method in the request by supplying specific HTTP
request headers. This feature is typically used when a web or proxy server restricts certain verbs, but the application needs to
use them, especially in RESTful services. It is possible for a malicious user to take advantage of this feature to bypass HTTP
verbs restrictions implemented on a server. Doing so may allow the attacker to perform unintended actions on protected
resources in the web application.

Execution:

The attack request uses a trusted HTTP verb such as GET or POST, but adds request headers such as X-HTTP-Method, XHTTP-
Method-Override, X-Method-Override, or a query parameter such as _method to provide a restricted verb such as PUT
or DELETE. Such a request is interpreted by the target application using the verb in the request header instead of the actual
HTTP verb.

Implication:

Attackers may leverage this vulnerability to add, edit or delete protected resources on the server-side of a web application.

 

 

Anyway we can make this secure and disable the use of verb tunneling using such headers or query parameter?  Any help from Atlassian team or security experts will be appreciated.

 

Thanks,

Jay

 

1 answer

Hello Atlassian Team,

I am still not able to create ticket and need help with Bitbucket security scan.  Please help create ticket for above issue/question.

 

If you need details on who others are having support creation issue go to: https://community.atlassian.com/t5/Confluence-discussions/Can-t-contact-Atlassian-Support/td-p/726938 

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events