Getting IIS to return 405 on a disallowed verb

A PEN test discovered that a OPTIONS verb returned data from my (ASP.NET 4/MVC 5) server. Based on a number of sources, in the web.config, I've configured IIS to block this verb using

<system.webServer>
    <security>
        <requestFiltering>
            <verbs>
                <add verb="OPTIONS" allowed="false"/>
            </verbs>
        </requestFiltering>
    </security>
</system.webServer>

This "works" but reponds with a 404 (Not Found). The security team that did the PEN test say this is not sufficient. (And my client, who hired the team really wants me to conform to their requirements).

It's also not what I expect and want: Like said here"The request method is known by the server but has been disabled and cannot be used.", thus it should return a 405 (Method Not Allowed).

However, as described here the current response is by design: "When IIS rejects a request based on this feature, the error code logged is 404.6.". According to Wikipedia they call it "verb denied".

I don't get this. Why is -in this case suitable (or even standardized?)- response of "405" not given here? And more important: how can I get IIS to respond with a 405 on a disallowed verb/request method?

1 answer

  • answered 2021-02-20 14:59 JHBonarius

    I came up with a workaround using some custom error handling. My web.config now has

    <system.webServer>
        <security>
            <requestFiltering>
                <verbs>
                    <add verb="OPTIONS" allowed="false"/>
                </verbs>
            </requestFiltering>
        </security>
        <httpErrors errorMode="Custom" existingResponse="Replace" >
            <remove statusCode="404" subStatusCode="-1"/>
            <error statusCode="404" subStatusCode="6"
               path="/Error/MethodNotAllowed" responseMode="ExecuteURL"/>
            <error statusCode="404" path="/Error/NotFound" responseMode="ExecuteURL"/>
    [...etc]
        </httpErrors>
    </system.webServer>
    

    And I've added a method to my ErrorController.cs

    public class ErrorController : Controller
    {
    [...]
        public ActionResult MethodNotAllowed()
        {
            return new HttpStatusCodeResult(HttpStatusCode.MethodNotAllowed);
        }
    }
    

    And this seems to "work". When I use postmaster to request an OPTIONS, I get 405 and when I GET a non existing page, I still get my custom 404 page.