RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

[Gunter Ollmann <gollmann@xxxxxxxxxx>]

--0__=0ABBFECBDFC0E3858f9e8a93df938690918c0ABBFECBDFC0E385
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: quoted-printable


"Arshan Dabirsiaghi" <arshan.dabirsiaghi@aspectsecurity.com> wrote on
05/29/2008 08:47:02 AM:
> > The HTTP specification, RFC 2616 [1], specifies that HEAD requests
> should produce the same results as
> > a GET request but with no response body.
>
> It's not that we expect anything else from HEAD, indeed it's doing
> exactly as the spec says - we're just alerting most people to its
> usefulness to attackers to access non-idempotent GETs behind URL
> authorization schemes. That is the fact that, which you may still
> not believe, is not well known. Of course that's just half the
> story, the other half is the vendor craziness when dealing with
> arbitrary HTTP verbs.

Now, I don't normally pipe up in these kinds of discussions, but I'm af=
raid
I'm going to have to agree with Martin on this.

Your paper is a good summary of the problem, but lets not get caught up=
 on
any novelty of this vector.

Any of the pentesters I've worked with in the past decade will tell you=
 how
they use these techniques to bypass restricting
authentication/authorization filtering. For example, the 3-day "Ethical=

Hacking" training course given by ISS from 2001-2005 covered these
techniques, and I believe that the NGS Software "Web Application
(In)security" course's at Blackhat have covered/discussed it as well.

You'll also find a few bruteforce attack tools that will flip to HEAD e=
tc.
for launching attacks - but this is a little more to do with speed
improvements and bandwidth constraints - but, at the end of the day, I
can't agree with the assertion that this is not well known.

I don't have a copy handy, but you may also want to check out Dafydd
Stuttard's and Marcus Pinto's book "The Web Application Hackers Handboo=
k"
http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0=
470170778/ref=3Dsr_1_1?ie=3DUTF8&s=3Dbooks&qid=3D1212074361&sr=3D8-1

Cheers,

Gunter
=

--0__=0ABBFECBDFC0E3858f9e8a93df938690918c0ABBFECBDFC0E385
Content-type: text/html; charset=US-ASCII
Content-Disposition: inline
Content-transfer-encoding: quoted-printable

<html><body>
<p><tt>&quot;Arshan Dabirsiaghi&quot; &lt;arshan.dabirsiaghi@aspectsecu=
rity.com&gt; wrote on 05/29/2008 08:47:02 AM:<br>
&gt; &gt; The HTTP specification, RFC 2616 [1], specifies that HEAD req=
uests<br>
&gt; should produce the same results as </tt><br>
<tt>&gt; &gt; a GET request but with no response body.</tt><br>
<tt>&gt; &nbsp;</tt><br>
<tt>&gt; It's not that we expect anything else from HEAD, indeed it's d=
oing <br>
&gt; exactly as the spec says - we're just alerting most people to its =
<br>
&gt; usefulness to attackers to access non-idempotent GETs behind URL <=
br>
&gt; authorization schemes. That is the fact that, which you may still =
<br>
&gt; not believe, is not well known. Of course that's just half the <br=
>
&gt; story, the other half is the vendor craziness when dealing with <b=
r>
&gt; arbitrary HTTP verbs.</tt><br>
<tt><br>
Now, I don't normally pipe up in these kinds of discussions, but I'm af=
raid I'm going to have to agree with Martin on this.</tt><br>
<br>
<tt>Your paper is a good summary of the problem, but lets not get caugh=
t up on any novelty of this vector.</tt><br>
<br>
<tt>Any of the pentesters I've worked with in the past decade will tell=
 you how they use these techniques to bypass restricting authentication=
/authorization filtering. For example, the 3-day &quot;Ethical Hacking&=
quot; training course given by ISS from 2001-2005 covered these techniq=
ues, and I believe that the NGS Software &quot;Web Application (In)secu=
rity&quot; course's at Blackhat have covered/discussed it as well.</tt>=
<br>
<br>
<tt>You'll also find a few bruteforce attack tools that will flip to HE=
AD etc. for launching attacks - but this is a little more to do with sp=
eed improvements and bandwidth constraints - but, at the end of the day=
, I can't agree with the assertion that this is not well known.</tt><br=
>
<br>
<tt>I don't have a copy handy, but you may also want to check out Dafyd=
d Stuttard's and Marcus Pinto's book &quot;The Web Application Hackers =
Handbook&quot; </tt><tt><a href=3D"http://www.amazon.com/Web-Applicatio=
n-Hackers-Handbook-Discovering/dp/0470170778/ref=3Dsr_1_1?ie=3DUTF8&s=3D=
books&qid=3D1212074361&sr=3D8-1">http://www.amazon.com/Web-Application-=
Hackers-Handbook-Discovering/dp/0470170778/ref=3Dsr_1_1?ie=3DUTF8&amp;s=
=3Dbooks&amp;qid=3D1212074361&amp;sr=3D8-1</a></tt><br>
<br>
<tt>Cheers,</tt><br>
<br>
<tt>Gunter</tt><br>
<br>
</body></html>=

--0__=0ABBFECBDFC0E3858f9e8a93df938690918c0ABBFECBDFC0E385--