Why does OWASP suggest using POST over PUT for file uploads?

TL;DR: PUT is not supported by a good deal of things. Sometimes it is only available as an extension, and enabling extensions increase your attack surface.


@iain is correct in comment that the SO question PUT vs POST in REST is relevant here. From the RESTfulness point of view PUT is fine for updating or even overwriting a file.

Yet, if you argue from the security standpoint the original HTML forms never did support PUT, only GET and POST. A lot of info about this can be found on Are the PUT, DELETE, HEAD, etc methods available in most web browsers?, although some info there is obsolete and some links are dead. So I'll summarize it here:

HTML

AJAX supports GET, POST, PUT and even DELETE. But the common form in a browser doesn't. HTML5 did add support to PUT and DELETE in its drafts versions, but neither PUT or DELETE can be found in the current definition of HTML5 infrastructure. In other words, browsers have no obligation to understand <form method="PUT"> to conform to HTML5.

Webservers

Both Apache and Nginx use PUT and DELETE as WebDAV extensions. If you want to harden your webserver one thing you often do is to compile it without the WebDAV extensions. Adding extensions is increasing attack surface.

We frameworks on the other hand often do not support PUT. Or, more commonly, simply use the same function to process POST and PUT, making the use of the PUT verb really the same as POST.


So yeah, the OWASP guideline makes some sense. Although I would rewrite it as: "If you are implementing full REST use PUT, if you aren't use POST because it is more widely supported".