[WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu May 29 07:42:14 EDT 2008


I'd like to respond inline:
 
> The paper is grammatically well written but somewhat states the obvious.
 
It is obvious after reading the paper, isn't it? Well, that's the goal of the paper. =) Given the amount of off-list responses I got from bugtraq... I don't know, I can't think of a really good way of saying I think you're just wrong. 
 
> I think the most surprising bit about this is the list of people on the
> blog who it is claimed didn't know about this stuff. 
 
The journalist's assassin word: "claim" - always used to install doubt without having actually doing any follow up. You can talk to any of them, though you'll probably want to be a little less insulting with the 'obvious' bit. If there is definitive prior art I'm happy to cite it, but the only thing that's obvious is that the new stuff in the paper is not common knowledge.
 
> The core of the issue is the implicit-allow used in some rulebases,
> which is ancient news. 

Did you read the paper? The HEAD-redirect-to-GET and arbitrary verbs being forwarded to GET handler are the unique takeaways. There is a lot of supporting information in there to allow the conversation to get to that point. We've all changed a GET to a POST or a POST to a GET to bypass some poorly built URL authorization scheme. That's so not what this is about.
 
I think it's very telling that I've gotten loads of off-list emails with the complete opposite feedback, and from people who you'd think are "in the know". Something about appearing to not know about something in public scares people - especially something (HEAD/arbitrary verb handling) that is so fundamental to what we do.
 
Cheers,
Arshan
 
 
________________________________

From: Martin O'Neal [mailto:martin.oneal at corsaire.com]
Sent: Thu 5/29/2008 6:16 AM
To: Arshan Dabirsiaghi; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering




The paper is grammatically well written but somewhat states the obvious.
I think the most surprising bit about this is the list of people on the
blog who it is claimed didn't know about this stuff. 

The core of the issue is the implicit-allow used in some rulebases,
which is ancient news.  Firewall engineers all over the globe will be
spitting coffee and soggy doughnut bits into their keyboards when they
find this in their in-box...

We test for this stuff as part of our standard methodology, and one of
the things that isn't picked out in the paper which we see from time to
time is functional configuration to block unwanted methods, but only
applied to the root URI (and not flowing down the tree on a wild-card).
Generally the tools won't pick this up, but you can happily get
OPTIONS/TRACE/TRACK/DELETE/WEBDAV/PUT etc to run on a URI post auth,
further down the tree.

The other thing not mentioned in the paper is that you need to watch out
when testing this stuff, as some of the MITMs use common libraries to
deliver the HTTP transport, which helpfully fix your deliberately broken
methods or silently drop the request.

Martin...




----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, registered in England No. 3338312. Registered
office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
Telephone: +44 (0)1483-746700



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080529/9107f0a6/attachment.html>


More information about the websecurity mailing list