[WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu May 29 10:08:45 EDT 2008

The answer to your question is pretty self-evident in the email you replied to, so I guess I'll quote myself:
> It's not that we expect anything else from HEAD, indeed it's doing exactly as the spec says - we're just alerting
> most people to its usefulness to attackers to access non-idempotent GETs behind URL authorization schemes.
> That is the fact that, which you may still not believe, is not well known. Of course that's just half the story, the
> other half is the vendor craziness when dealing with arbitrary HTTP verbs.
You're free to disagree with the "awareness" issue, but I think you'd be wrong. In my opinion, your characterization of it as being-in-line-with-the-RFC-so-it-can't-possibly-be-problematic is unreasonable and actually tangential to the point: many people rely on this, it's wrong, and we are having a hard time finding anyone prior that says the same thing.


From: Martin O'Neal [mailto:martin.oneal at corsaire.com]
Sent: Thu 5/29/2008 9:58 AM
To: Arshan Dabirsiaghi; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

> Not sure how you can question whether or not I know the RFC

I'm not questioning your familiarity with the RFC, I'm questioning your
assertion that "The HEAD-redirect-to-GET and arbitrary verbs being
forwarded to GET handler are the unique takeaways".

A web server working as per the RFC is a unique discovery worthy of a
paper in what way?


CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
Corsaire Limited, registered in England No. 3338312. Registered
office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
Telephone: +44 (0)1483-746700

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080529/ca56b026/attachment.html>

More information about the websecurity mailing list