[WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

Andre Gironda andreg at gmail.com
Thu May 29 12:44:33 EDT 2008

On Thu, May 29, 2008 at 8:32 AM, Gunter Ollmann <gollmann at us.ibm.com> wrote:
> Any of the pentesters I've worked with in the past decade will tell you how
> they use these techniques to bypass restricting authentication/authorization
> filtering. For example, the 3-day "Ethical Hacking" training course given by
> ISS from 2001-2005 covered these techniques, and I believe that the NGS
> Software "Web Application (In)security" course's at Blackhat have
> covered/discussed it as well.

Exactly why this type of vulnerability-finding technique shouldn't be
locked up in $5k-10k/person courseware IP and instead published in the
open.  Or given to the community through OWASP, BSI, or MITRE
enumeration projects.

> You'll also find a few bruteforce attack tools that will flip to HEAD etc.
> for launching attacks - but this is a little more to do with speed
> improvements and bandwidth constraints - but, at the end of the day, I can't
> agree with the assertion that this is not well known.

I am curious about this as well.  Elza (1998?) or any spider probably
has done HEAD/Verb operations for authentication bypass purposes.
SPIKEproxy or another fuzzer would have found vulnerabilities like
this in the past.  But not everything that SPIKEproxy or Elza have
picked up has been announced to the public as bad practice with
identification, impact, variations, and countermeasures -- especially
when combinatorial aspects factor in (e.g. combining an authenticated
spider set of results with an external HTTP method fuzzer).  The tools
don't do this on their own: the people driving them do.

Either way you look at it, if it has been done in the past (and I'm
not arguing that it hasn't) -- it's been exploratory.  With
documentation like Arshan's, now it can be a formal test case and part
of a checklist.

> I don't have a copy handy, but you may also want to check out Dafydd
> Stuttard's and Marcus Pinto's book "The Web Application Hackers Handbook"
> http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1212074361&sr=8-1

I have the PDF.  Did some searches.  Read chapters 4, 6, and 8.  It's
not in there.


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list