SharePoint Dragons

Security assessments typically advise to lockdown IIS and limit the number of available HTTP methods that can be used to the minimum.

Tools such as Urlscan (http://learn.iis.net/page.aspx/473/using-urlscan) can help with that, but the big question is if it is a good idea to use such tools in a SharePoint environment.

For a typical web application, support for the HTTP GET and POST methods may be enough, but SharePoint is not aywhere near typical. Forstarters, it supports the WebDAV, REST, and FrontPage Server Extensions protocols.

The following URL contains a list of all known HTTP methods: http://msdn.microsoft.com/en-us/library/aa364664(v=vs.85).aspx

The next URL contains a list of all WebDAV methods: http://msdn.microsoft.com/en-us/library/aa142917(v=EXCHG.65).aspx

Problem is we didn’t find an exhaustive list containing all HTTP methods that are supported within SharePoint. But we did find that SharePoint supports the following HTTP methods (which are actually the majority of all available HTTP methods):

– COPY, DELETE, GET, GETLIB, HEAD, LOCK, MERGE, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, UNLOCK.

Further more, the section of the web.config files of sharepoint web applications indicate that most handlers support ALL HTTP methods. Therefore, we consider it to be too risky to exclude dangerous HTTP methods. The only thing that would change our mind would be an exhaustive list with all HTTP methods supported by SharePoint 2013, published by MS themselves.