Sep 1, 2010

Blocking WebDAV methods

WebDAV is an extension to the HTTP protocol described in the RFC 2518. There are vulnerabilities in Windows applications that could be exploited over WebDAV. Therefore, blocking outbound WebDAV traffic is a best practice technique.

It is possible to use the Modular Policy Framework feature of the ASA/PIX to inspect HTTP traffic and block MS WebDAV methods. Nevertheless other applications may be making use of those methods, so you shouldn't implement this policy whether you are not sure about the upshot.

Below is an example of the policy needed to block WebDAV outbound traffic, using the default global policy:

regex x-ms-enumatts "X-MS-ENUMATTS"
class-map type inspect http match-any blocked_http_methods
 match request method bcopy
 match request method bdelete
 match request method bmove
 match request method bpropfind
 match request method bproppatch
 match request method copy
 match request method delete
 match request method lock
 match request method mkcol
 match request method move
 match request method notify
 match request method poll
 match request method propfind
 match request method proppatch
 match request method search
 match request method subscribe
 match request method unlock
 match request method unsubscribe

 match request method regex x-ms-enumatts
!
policy-map type inspect http http_policy
 class blocked_http_methods
  drop-connection log
!
policy-map global_policy
 class inspection_default
  inspect http http_policy
!


This policy would match any HTTP packet containing one of those methods and block them. Traffic containing other methods would be silently allowed.


asa(config)# end
asa# wr mem

2 comments:

  1. A big thank you for this detailed post. I used this to implement a similar policy in a Citrix Netscaler's web application firewall.

    Rusty Nejdl

    ReplyDelete