[WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

Martin O'Neal martin.oneal at corsaire.com
Thu May 29 06:16:29 EDT 2008


The paper is grammatically well written but somewhat states the obvious.
I think the most surprising bit about this is the list of people on the
blog who it is claimed didn't know about this stuff.  

The core of the issue is the implicit-allow used in some rulebases,
which is ancient news.  Firewall engineers all over the globe will be
spitting coffee and soggy doughnut bits into their keyboards when they
find this in their in-box...

We test for this stuff as part of our standard methodology, and one of
the things that isn't picked out in the paper which we see from time to
time is functional configuration to block unwanted methods, but only
applied to the root URI (and not flowing down the tree on a wild-card).
Generally the tools won't pick this up, but you can happily get
OPTIONS/TRACE/TRACK/DELETE/WEBDAV/PUT etc to run on a URI post auth,
further down the tree.

The other thing not mentioned in the paper is that you need to watch out
when testing this stuff, as some of the MITMs use common libraries to
deliver the HTTP transport, which helpfully fix your deliberately broken
methods or silently drop the request.

Martin...



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list