[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
- From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
- Date: Thu, 29 May 2008 10:08:45 -0400
------_=_NextPart_001_01C8C195.82276C6E
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
The answer to your question is pretty self-evident in the email you =
replied to, so I guess I'll quote myself:
=20
> It's not that we expect anything else from HEAD, indeed it's doing =
exactly as the spec says - we're just alerting
> most people to its usefulness to attackers to access non-idempotent =
GETs behind URL authorization schemes.
> That is the fact that, which you may still not believe, is not well =
known. Of course that's just half the story, the
> other half is the vendor craziness when dealing with arbitrary HTTP =
verbs.
=20
You're free to disagree with the "awareness" issue, but I think you'd be =
wrong. In my opinion, your characterization of it as =
being-in-line-with-the-RFC-so-it-can't-possibly-be-problematic is =
unreasonable and actually tangential to the point: many people rely on =
this, it's wrong, and we are having a hard time finding anyone prior =
that says the same thing.
=20
Arshan
________________________________
From: Martin O'Neal [mailto:martin.oneal@corsaire.com]
Sent: Thu 5/29/2008 9:58 AM
To: Arshan Dabirsiaghi; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Bypassing URL Authentication and =
Authorization with HTTP Verb Tampering
> Not sure how you can question whether or not I know the RFC
I'm not questioning your familiarity with the RFC, I'm questioning your
assertion that "The HEAD-redirect-to-GET and arbitrary verbs being
forwarded to GET handler are the unique takeaways".
A web server working as per the RFC is a unique discovery worthy of a
paper in what way?
Martin...
----------------------------------------------------------------------
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, registered in England No. 3338312. Registered
office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
Telephone: +44 (0)1483-746700
------_=_NextPart_001_01C8C195.82276C6E
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML dir=3Dltr><HEAD><TITLE>RE: [WEB SECURITY] Bypassing URL =
Authentication and Authorization with HTTP Verb Tampering</TITLE>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6000.16640" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText2286 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>The answer to =
your question is pretty self-evident in the email you replied to, so I =
guess I'll quote myself:</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>> It's not that we expect =
anything else from HEAD, indeed it's doing exactly as the spec =
says - we're just alerting</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>> most people to its =
usefulness to attackers to access non-idempotent GETs behind URL =
authorization schemes.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>> That is the fact that, =
which you may still not believe, is not well known. Of course that's =
just half the story, the</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>> other half is the =
vendor craziness when dealing with arbitrary HTTP verbs.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>You're free to disagree with =
the "awareness" issue, but I think you'd be wrong. In my opinion, your =
characterization of it as =
being-in-line-with-the-RFC-so-it-can't-possibly-be-problematic is =
unreasonable and actually tangential to the point: many people rely on =
this, it's wrong, and we are having a hard time finding anyone prior =
that says the same thing.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial =
size=3D2>Arshan</FONT></DIV></DIV></DIV>=0A=
<DIV dir=3Dltr><BR>=0A=
<HR tabIndex=3D-1>=0A=
<FONT face=3DTahoma size=3D2><B>From:</B> Martin O'Neal =
[mailto:martin.oneal@corsaire.com]<BR><B>Sent:</B> Thu 5/29/2008 9:58 =
AM<BR><B>To:</B> Arshan Dabirsiaghi; =
websecurity@webappsec.org<BR><B>Subject:</B> RE: [WEB SECURITY] =
Bypassing URL Authentication and Authorization with HTTP Verb =
Tampering<BR></FONT><BR></DIV>=0A=
<DIV><BR>=0A=
<P><FONT size=3D2>> Not sure how you can question whether or not I =
know the RFC<BR><BR>I'm not questioning your familiarity with the RFC, =
I'm questioning your<BR>assertion that "The HEAD-redirect-to-GET and =
arbitrary verbs being<BR>forwarded to GET handler are the unique =
takeaways".<BR><BR>A web server working as per the RFC is a unique =
discovery worthy of a<BR>paper in what =
way?<BR><BR>Martin...<BR><BR><BR><BR>------------------------------------=
----------------------------------<BR>CONFIDENTIALITY: This e-mail =
and any files transmitted with it are<BR>confidential and intended =
solely for the use of the recipient(s) only.<BR>Any review, =
retransmission, dissemination or other use of, or taking<BR>any action =
in reliance upon this information by persons or entities<BR>other than =
the intended recipient(s) is prohibited. If you have<BR>received =
this e-mail in error please notify the sender immediately<BR>and destroy =
the material whether stored on a computer or =
otherwise.<BR>-----------------------------------------------------------=
-----------<BR>DISCLAIMER: Any views or opinions presented within =
this e-mail are<BR>solely those of the author and do not necessarily =
represent those<BR>of Corsaire Limited, unless otherwise specifically =
stated.<BR>--------------------------------------------------------------=
--------<BR>Corsaire Limited, registered in England No. 3338312. =
Registered<BR>office: Portland House, Park Street, Bagshot, Surrey GU19 =
5PG.<BR>Telephone: +44 =
(0)1483-746700<BR><BR></FONT></P></DIV></BODY><!--[object_id=3D#aspectsec=
urity.com#]--></HTML>
------_=_NextPart_001_01C8C195.82276C6E--
Brought to you by http://www.webappsec.org
Search this site
|