[WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu May 29 11:11:07 EDT 2008


I don't exactly know why, but you're trying to blur the difference between "alerting the world when most of them are doing it wrong" and "knowing what the RFC says", which is fairly unimportant.
 
If this is a well known issue, please point me to the CWE ID or any other prior listing of this information? I'm not saying you didn't already have attack technique in your pocket, I'm saying that the world needed an alert.
 
Incidentally, if there is no prior art out there, and someone releases something, and you say "I knew about that before you did!!! And seeing it out on the Interweb makes me soooOO madd!!", you are an idiot.
 
Love,
Arshan

________________________________

From: Martin O'Neal [mailto:martin.oneal at corsaire.com]
Sent: Thu 5/29/2008 10:25 AM
To: Arshan Dabirsiaghi; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering




Ok, so you've changed your mind then; the HEAD-redirect-to-GET isn't
anything unique.

Which leaves you with making people aware of the problems with
implicit-allow rules.  Which is old news.  Which is where we started
out.

Martin...


----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, registered in England No. 3338312. Registered
office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
Telephone: +44 (0)1483-746700



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080529/3fae408e/attachment.html>


More information about the websecurity mailing list