RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

["Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>]

------_=_NextPart_001_01C8C19E.384C8D96
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I don't exactly know why, but you're trying to blur the difference =
between "alerting the world when most of them are doing it wrong" and =
"knowing what the RFC says", which is fairly unimportant.
=20
If this is a well known issue, please point me to the CWE ID or any =
other prior listing of this information? I'm not saying you didn't =
already have attack technique in your pocket, I'm saying that the world =
needed an alert.
=20
Incidentally, if there is no prior art out there, and someone releases =
something, and you say "I knew about that before you did!!! And seeing =
it out on the Interweb makes me soooOO madd!!", you are an idiot.
=20
Love,
Arshan

________________________________

From: Martin O'Neal [mailto:martin.oneal@corsaire.com]
Sent: Thu 5/29/2008 10:25 AM
To: Arshan Dabirsiaghi; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Bypassing URL Authentication and =
Authorization with HTTP Verb Tampering




Ok, so you've changed your mind then; the HEAD-redirect-to-GET isn't
anything unique.

Which leaves you with making people aware of the problems with
implicit-allow rules.  Which is old news.  Which is where we started
out.

Martin...


----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, registered in England No. 3338312. Registered
office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
Telephone: +44 (0)1483-746700




------_=_NextPart_001_01C8C19E.384C8D96
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML dir=3Dltr><HEAD><TITLE>RE: [WEB SECURITY] Bypassing URL =
Authentication and Authorization with HTTP Verb Tampering</TITLE>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6000.16640" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText63954 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>I don't =
exactly know why, but you're trying to blur the difference between =
"alerting the world when most of them are doing it wrong" and "knowing =
what the RFC says", which is fairly unimportant.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>If this is a well known =
issue, please point me to the CWE ID or any other prior listing of =
this&nbsp;information? I'm not saying you didn't already have attack =
technique in your pocket, I'm saying that the world needed an =
alert.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Incidentally, if there is no =
prior art out there, and someone releases something, and you say "I knew =
about that before you did!!! And seeing it out on the Interweb makes me =
soooOO madd!!", you are an idiot.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Love,</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>Arshan</FONT></DIV></DIV>=0A=
<DIV dir=3Dltr><BR>=0A=
<HR tabIndex=3D-1>=0A=
<FONT face=3DTahoma size=3D2><B>From:</B> Martin O'Neal =
[mailto:martin.oneal@corsaire.com]<BR><B>Sent:</B> Thu 5/29/2008 10:25 =
AM<BR><B>To:</B> Arshan Dabirsiaghi; =
websecurity@webappsec.org<BR><B>Subject:</B> RE: [WEB SECURITY] =
Bypassing URL Authentication and Authorization with HTTP Verb =
Tampering<BR></FONT><BR></DIV>=0A=
<DIV><BR>=0A=
<P><FONT size=3D2>Ok, so you've changed your mind then; the =
HEAD-redirect-to-GET isn't<BR>anything unique.<BR><BR>Which leaves you =
with making people aware of the problems with<BR>implicit-allow =
rules.&nbsp; Which is old news.&nbsp; Which is where we =
started<BR>out.<BR><BR>Martin...<BR><BR><BR>-----------------------------=
-----------------------------------------<BR>CONFIDENTIALITY:&nbsp; This =
e-mail and any files transmitted with it are<BR>confidential and =
intended solely for the use of the recipient(s) only.<BR>Any review, =
retransmission, dissemination or other use of, or taking<BR>any action =
in reliance upon this information by persons or entities<BR>other than =
the intended recipient(s) is prohibited.&nbsp; If you have<BR>received =
this e-mail in error please notify the sender immediately<BR>and destroy =
the material whether stored on a computer or =
otherwise.<BR>-----------------------------------------------------------=
-----------<BR>DISCLAIMER:&nbsp; Any views or opinions presented within =
this e-mail are<BR>solely those of the author and do not necessarily =
represent those<BR>of Corsaire Limited, unless otherwise specifically =
stated.<BR>--------------------------------------------------------------=
--------<BR>Corsaire Limited, registered in England No. 3338312. =
Registered<BR>office: Portland House, Park Street, Bagshot, Surrey GU19 =
5PG.<BR>Telephone: +44 =
(0)1483-746700<BR><BR></FONT></P></DIV></BODY><!--[object_id=3D#aspectsec=
urity.com#]--></HTML>
------_=_NextPart_001_01C8C19E.384C8D96--