dexidp
Security - Limit the supported HTTP verbs - custom verbs like PENTEST are currently allowed
Preflight Checklist
- [X] I agree to follow the Code of Conduct that this project adheres to.
- [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
- [X] I am not looking for support or already pursued the available support channels without success.
Version
2.25.0
Storage Type
SQLite
Installation Type
Binary
Expected Behavior
We're using DEX in conjunction with WAS Liberty. WAS is checking with DEX whether the user needs to be authenticated and then does the redirect when needed.
Everything is working fine as it is, however, our penetration test team flagged DEX as allowing custom HTTP verbs. The redirect URL is as follows: https://localhost:7600/dex/auth?response_type=code&client_id=<CLIENT_ID>&state=0016444436695785CTZFmKoD&redirect_uri=https://localhost:9443/oidcclient/redirect/<CLIENT_ID>&scope=openid+profile+groups+email+federated:id&language=en
They took that URL and used a REST client to change the request from the regular GET to PENTEST and they were expecting to get an error message similar to The request was rejected because the HTTP method "PENTEST" was not included within the whitelist [HEAD, DELETE, POST, GET, OPTIONS, PATCH, PUT]
Actual Behavior
The request actually succeeded and showed the DEX login page without showing any errors.
We looked over the current DEX configuration and couldn't find any way to restrict the allowed HTTP verbs.
Steps To Reproduce
No response
Additional Information
No response
Configuration
No response
Logs
No response
