[WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

Martin O'Neal martin.oneal at corsaire.com
Thu May 29 08:19:42 EDT 2008

> It is obvious after reading the paper, isn't it? 

You are having a laugh, no?  RFC2616: "The HEAD method is identical to
GET except that the server MUST NOT return a message-body in the
response".  And your expectation of how this would be otherwise
implemented in a server other than a wrapper for GET?  Wasteful,
unmanageable, duplicate code?

> The journalist's assassin word: "claim" - always 
> used to install doubt without having actually 
> doing any follow up. 

Ooop; a bit defensive there.  I was commenting based on the content in
the blog, which is primarily written by you.  I haven't spoken to any of
the chaps listed, so logically whether they did or didn't know is
unsubstantiated (this isn't a personal attack on your integrity, it is
an auditors approach to life; if I can't validate it, then it is chalked
up as conjecture until I can).  So in context, the use of "claimed" is
both accurate and appropriate.  Like 9 out of 10 cat owners will know.

> Did you read the paper? 

Yes and watched the clip too.

> The HEAD-redirect-to-GET and arbitrary verbs being forwarded to GET
handler are the unique takeaways. 

You're not getting this are you?  HEAD *is* GET, just without the body.
It is by design!  I'm not sure how or why you would expect something


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list