[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Date: Wed, 28 May 2008 10:48:44 -0400

------_=_NextPart_001_01C8C0D1.ED4180D0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Internetizens,

Many URL authentication and authorization mechanisms make security =
decisions based on the HTTP verb in the request. Many of these =
mechanisms work in a counter-intuitive way. This fact, in combination =
with some oddities in the way that both web and application servers =
handle unexpected HTTP verbs causes the rules dictated by those =
mechanisms to be bypassable.

Many of us rely on the mechanisms I'm talking about. The Internet is not =
exactly going to burn down when this email goes out, but there is =
probably a fair number of externally facing web applications out there =
that are relying on the shaky security provided by these configurations.

We have written a whitepaper that goes into some detail discussing the =
vulnerability and how the various vendors are affected. You can grab the =
whitepaper from Aspect Security's website:

http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Ta=
mpering.pdf

Jeff Williams and Jim Manico also put together a demo that shows the =
attack in progress:

http://www.aspectsecurity.com/documents/Aspect_VBAAC_Bypass.swf

Cheers,

Arshan Dabirsiaghi

Director of Research

Aspect Security

http://www.aspectsecurity.com/


------_=_NextPart_001_01C8C0D1.ED4180D0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML dir=3Dltr><HEAD>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6000.16640" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV><FONT face=3DArial color=3D#000000 size=3D2>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri size=3D3>Internetizens,</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri size=3D3>Many URL authentication and =
authorization mechanisms make security decisions based on the HTTP verb =
in the request. Many of these mechanisms work in a counter-intuitive =
way. This fact, in combination with some oddities in the way that both =
web and application servers handle unexpected HTTP verbs causes the =
rules dictated by those mechanisms to be bypassable.</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri size=3D3>Many of us rely on the mechanisms =
I'm talking about. The Internet is not exactly going to burn down when =
this email goes out, but there is probably a fair number of externally =
facing web applications out there that are relying on the shaky security =
provided by these configurations.</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri size=3D3>We have written a whitepaper that =
goes into some detail discussing the vulnerability and how the various =
vendors are affected. You can grab the whitepaper from Aspect Security's =
website:</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri =
size=3D3>http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTT=
P_Verb_Tampering.pdf</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri size=3D3>Jeff Williams and Jim Manico also =
put together a demo that shows the attack in progress:</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri =
size=3D3>http://www.aspectsecurity.com/documents/Aspect_VBAAC_Bypass.swf<=
/FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri size=3D3>Cheers,</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri size=3D3>Arshan Dabirsiaghi</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri size=3D3>Director of Research</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri size=3D3>Aspect Security</FONT></P>=0A=
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 10pt; LINE-HEIGHT: =
normal"><FONT face=3DCalibri =
size=3D3>http://www.aspectsecurity.com/</FONT></P></FONT></DIV></BODY><!-=
-[object_id=3D#aspectsecurity.com#]--></HTML>
------_=_NextPart_001_01C8C0D1.ED4180D0--

Follow-Ups:
- Re: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
  - From: Arian J. Evans
- RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
  - From: Martin O'Neal

Prev by Date: RE: [WEB SECURITY] client-side "transaction monitoring" beacons
Next by Date: Re: [WEB SECURITY] client-side "transaction monitoring" beacons
Previous by thread: [WEB SECURITY] client-side "transaction monitoring" beacons
Next by thread: Re: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site