Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Testing for HTTP Verb Tampering (OTG-INPVAL-003) failed. #494

Closed
Charles1000Chen opened this issue Mar 27, 2024 · 4 comments · Fixed by #551
Closed

Testing for HTTP Verb Tampering (OTG-INPVAL-003) failed. #494

Charles1000Chen opened this issue Mar 27, 2024 · 4 comments · Fixed by #551
Assignees
@andy-maier
Labels
area: code resolution: delegated Pursued elsewhere resolution: fixed type: enhancement New feature or request
Milestone
1.7.0

Comments

@Charles1000Chen
Copy link
Contributor

Charles1000Chen commented Mar 27, 2024
edited
Loading

Describe the bug

The zhmc prometheus exporter failed in HTTP Verb Tampering tests because it accepts any HTTP verbs. It's expected that only the GET method is accepted. Refer to https://kennel209.gitbooks.io/owasp-testing-guide-v4/content/en/web_application_security_testing/testing_for_http_verb_tampering_otg-inpval-003.html

Expected behavior

The zhmc prometheus exporter only accepts HTTP GET request and all other HTTP requests are rejected with 403 error.

To Reproduce
Start zhmc prometheus exporter at the port 9800, then try to send http request to it with verb other than GET:

curl -i -X OPTIONS --cacert <ca_cert> --cert <client_cert> --key <client_key> https://:9800/metrics
curl -i -X HEAD --cacert <ca_cert> --cert <client_cert> --key <client_key> https://:9800/metrics
curl -i -X POST --cacert <ca_cert> --cert <client_cert> --key <client_key> https://:9800/metrics
curl -i -X PUT --cacert <ca_cert> --cert <client_cert> --key <client_key> https://:9800/metrics
curl -i -X DELETE --cacert <ca_cert> --cert <client_cert> --key <client_key> https://:9800/metrics
curl -i -X TRACE --cacert <ca_cert> --cert <client_cert> --key <client_key> https://:9800/metrics
curl -i -X CONNECT --cacert <ca_cert> --cert <client_cert> --key <client_key> https://:9800/metrics
...

Environment information

  • Output of zhmc_prometheus_exporter --version:
  • HMC version:

Command output
For any HTTP verb requests, it returns 200 and metrics data.

HTTP/1.0 200 OK
Date: Mon, 27 Mar 2024 01:18:07 GMT
Server: WSGIServer/0.2 CPython/3.10.12
Content-Type: text/plain; version=0.0.4; charset=utf-8
Content-Length: 533576
…...

Log file
<-- If possible, attach a log file generated with '--log-comp all=debug --log exporter.log'. -->
@andy-maier andy-maier self-assigned this Mar 28, 2024
@andy-maier andy-maier added type: enhancement New feature or request area: code labels Mar 28, 2024
@andy-maier andy-maier added this to the 1.6.0 milestone Mar 28, 2024
@andy-maier
Copy link
Member

Good point, Chen Mu. Will be fixed.

@andy-maier
Copy link
Member

I have raised this as an issue against the prometheus_client package: prometheus/client_python#1018

@andy-maier
Copy link
Member

I have submitted a PR on the prometheus_client package to address the issue there.

We need to wait for a reaction and use an updated version.

@andy-maier andy-maier modified the milestones: 1.6.0, 1.7.0 Apr 2, 2024
@andy-maier
Copy link
Member

Fixed in PR #551 .

@andy-maier andy-maier linked a pull request Jul 29, 2024 that will close this issue
Using prometheus_client 0.20.0.post1 #551
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andy-maier andy-maier

Labels
area: code resolution: delegated Pursued elsewhere resolution: fixed type: enhancement New feature or request
Projects
None yet
Milestone
1.7.0
Development

Successfully merging a pull request may close this issue.

Using prometheus_client 0.20.0.post1 zhmcclient/zhmc-prometheus-exporter
2 participants
@andy-maier @Charles1000Chen