[WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

Gunter Ollmann gollmann at us.ibm.com
Thu May 29 13:10:13 EDT 2008

Hi Ashran...
"Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com> wrote on
05/29/2008 11:55:59 AM:
> we're not claiming to invent verb tampering. I was personally taken
> aback when I actually looked at the RFC and tested the various
> vendors. I simply could not believe anyone else had not done this.

And you we're right, you shouldn't have believed that anyone else had not
already done this. You may want to note that several IDS/IPS vendors had
already crafted rules/signatures/decodes within their products to protect
against the malicious forms of the vector - not because it was an unknown.
In future testing you may want to also evaluate how some of the mainstream
IDS/IPS technologies protect against the vector. I'd be curious.

> There was nothing we could find that pointed to other people doing this
> Verb tampering is something that we thought many pen testers (and
> some tools, like Sentinel) have done at some point, but not as part
> of any standard methodology or to specifically evade a particular
> I'm actually a little relieved to see that NGS and IIS had played in
> this area before, even if they had not published on it. Share-
> nothing attitudes, though, won't get us very far as a community
> (which I'm sensing may not actually exist).

I'm sorry, but you're kidding right? Just because you couldn't find it on a
search engine you appear to be asserting that the knowledge hasn't been in
use or isn't shared. This is not the case from my perspective. Like you
mention, tools and pentesters are aware of this vector and have made use of
it for consulting purposes. This isn't a black art - or it would have had
to have been discovered independently by hundreds of consultants.

I also don't believe that "Share-nothing" attitudes apply here. Like I
stated in the earlier email some consulting companies refer to it in their
public courses, and I've fairly positive that you'll find aspects of it in
multiple books on pentesting and application testing (as a bullet point
perhaps?). Something that's not free or easy-to-Google-for does not
necessarily mean that it's not already public.

Granted, it may not be in the current OWASP guide - but that's what
revisions are for, and sure, it should form a documented test case. But
it's also not a case of "the sky is falling".

You wrote a nice paper describing the problem and the vector and I
congratulate you on that - I know personally how much effort goes in to
doing papers like this - and you've made the problem visible to a few more
people. But lets leave it at that - there are plenty of other security
problems seeking solutions...


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080529/f61cd25b/attachment.html>

More information about the websecurity mailing list