[WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu May 29 11:55:59 EDT 2008

The list server is being a little slow, or you'd see me clariy that we're not claiming to invent verb tampering. I was personally taken aback when I actually looked at the RFC and tested the various vendors. I simply could not believe anyone else had not done this. These were the facts we were faced with when deciding what to do with the info:

	Clearly this is not well known among application developers (no surprise there)
	It did not appear to be well known when we sampled the security community luminaries (in fact, the response was overwhelmingly something to the effect of "oh, shit, that could be bad"
	There was nothing we could find that pointed to other people doing this before
	Verb tampering is something that we thought many pen testers (and some tools, like Sentinel) have done at some point, but not as part of any standard methodology or to specifically evade a particular mechanism

I'm actually a little relieved to see that NGS and IIS had played in this area before, even if they had not published on it. Share-nothing attitudes, though, won't get us very far as a community (which I'm sensing may not actually exist).



From: Gunter Ollmann [mailto:gollmann at us.ibm.com]
Sent: Thu 5/29/2008 11:32 AM
To: Arshan Dabirsiaghi
Cc: Martin O'Neal; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

"Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com> wrote on 05/29/2008 08:47:02 AM:
> > The HTTP specification, RFC 2616 [1], specifies that HEAD requests
> should produce the same results as 
> > a GET request but with no response body.
> It's not that we expect anything else from HEAD, indeed it's doing 
> exactly as the spec says - we're just alerting most people to its 
> usefulness to attackers to access non-idempotent GETs behind URL 
> authorization schemes. That is the fact that, which you may still 
> not believe, is not well known. Of course that's just half the 
> story, the other half is the vendor craziness when dealing with 
> arbitrary HTTP verbs.

Now, I don't normally pipe up in these kinds of discussions, but I'm afraid I'm going to have to agree with Martin on this.

Your paper is a good summary of the problem, but lets not get caught up on any novelty of this vector.

Any of the pentesters I've worked with in the past decade will tell you how they use these techniques to bypass restricting authentication/authorization filtering. For example, the 3-day "Ethical Hacking" training course given by ISS from 2001-2005 covered these techniques, and I believe that the NGS Software "Web Application (In)security" course's at Blackhat have covered/discussed it as well.

You'll also find a few bruteforce attack tools that will flip to HEAD etc. for launching attacks - but this is a little more to do with speed improvements and bandwidth constraints - but, at the end of the day, I can't agree with the assertion that this is not well known.

I don't have a copy handy, but you may also want to check out Dafydd Stuttard's and Marcus Pinto's book "The Web Application Hackers Handbook" http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1212074361&sr=8-1



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080529/8581dfce/attachment.html>

More information about the websecurity mailing list