[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi@xxxxxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Date: Thu, 29 May 2008 11:55:59 -0400

------_=_NextPart_001_01C8C1A4.7CD40088
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Gunter,
=20
The list server is being a little slow, or you'd see me clariy that =
we're not claiming to invent verb tampering. I was personally taken =
aback when I actually looked at the RFC and tested the various vendors. =
I simply could not believe anyone else had not done this. These were the =
facts we were faced with when deciding what to do with the info:

*=09
	Clearly this is not well known among application developers (no =
surprise there)
*=09
	It did not appear to be well known when we sampled the security =
community luminaries (in fact, the response was overwhelmingly something =
to the effect of "oh, shit, that could be bad"
*=09
	There was nothing we could find that pointed to other people doing this =
before
*=09
	Verb tampering is something that we thought many pen testers (and some =
tools, like Sentinel) have done at some point, but not as part of any =
standard methodology or to specifically evade a particular mechanism

I'm actually a little relieved to see that NGS and IIS had played in =
this area before, even if they had not published on it. Share-nothing =
attitudes, though, won't get us very far as a community (which I'm =
sensing may not actually exist).

Thanks,
Arshan

________________________________

From: Gunter Ollmann [mailto:gollmann@us.ibm.com]
Sent: Thu 5/29/2008 11:32 AM
To: Arshan Dabirsiaghi
Cc: Martin O'Neal; websecurity@webappsec.org
Subject: RE: [WEB SECURITY] Bypassing URL Authentication and =
Authorization with HTTP Verb Tampering



"Arshan Dabirsiaghi" <arshan.dabirsiaghi@aspectsecurity.com> wrote on =
05/29/2008 08:47:02 AM:
> > The HTTP specification, RFC 2616 [1], specifies that HEAD requests
> should produce the same results as=20
> > a GET request but with no response body.
> =20
> It's not that we expect anything else from HEAD, indeed it's doing=20
> exactly as the spec says - we're just alerting most people to its=20
> usefulness to attackers to access non-idempotent GETs behind URL=20
> authorization schemes. That is the fact that, which you may still=20
> not believe, is not well known. Of course that's just half the=20
> story, the other half is the vendor craziness when dealing with=20
> arbitrary HTTP verbs.

Now, I don't normally pipe up in these kinds of discussions, but I'm =
afraid I'm going to have to agree with Martin on this.

Your paper is a good summary of the problem, but lets not get caught up =
on any novelty of this vector.

Any of the pentesters I've worked with in the past decade will tell you =
how they use these techniques to bypass restricting =
authentication/authorization filtering. For example, the 3-day "Ethical =
Hacking" training course given by ISS from 2001-2005 covered these =
techniques, and I believe that the NGS Software "Web Application =
(In)security" course's at Blackhat have covered/discussed it as well.

You'll also find a few bruteforce attack tools that will flip to HEAD =
etc. for launching attacks - but this is a little more to do with speed =
improvements and bandwidth constraints - but, at the end of the day, I =
can't agree with the assertion that this is not well known.

I don't have a copy handy, but you may also want to check out Dafydd =
Stuttard's and Marcus Pinto's book "The Web Application Hackers =
Handbook" =
http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/047=
0170778/ref=3Dsr_1_1?ie=3DUTF8&s=3Dbooks&qid=3D1212074361&sr=3D8-1

Cheers,

Gunter




------_=_NextPart_001_01C8C1A4.7CD40088
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML dir=3Dltr><HEAD>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6000.16640" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2>Gunter,</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial size=3D2>The list server is being a =
little slow, or you'd see me clariy that we're not claiming to invent =
verb tampering. I was personally taken aback when I actually looked at =
the RFC and tested the various vendors. I simply&nbsp;could not believe =
anyone else had not done this. These were the facts we were faced with =
when deciding what to do with the info:</FONT></DIV>=0A=
<UL dir=3Dltr>=0A=
<LI>=0A=
<DIV><FONT face=3DArial size=3D2>Clearly this is not well known among =
application developers (no surprise there)</FONT></DIV></LI>=0A=
<LI>=0A=
<DIV><FONT face=3DArial size=3D2>It did not appear to be well known when =
we sampled the security community luminaries (in fact, the response was =
overwhelmingly something to the effect of "oh, shit, that could be =
bad"</FONT></DIV></LI>=0A=
<LI>=0A=
<DIV><FONT face=3DArial size=3D2>There was nothing <EM><U>we could =
find</U></EM> that pointed to other people doing this =
before</FONT></DIV></LI>=0A=
<LI>=0A=
<DIV><FONT face=3DArial size=3D2>Verb tampering is something that we =
thought many pen testers (and some tools, like Sentinel) have done at =
some point, but not as part of any standard methodology or to =
specifically evade a particular mechanism</FONT></DIV></LI></UL>=0A=
<P><FONT face=3DArial size=3D2>I'm actually a little relieved to see =
that&nbsp;NGS and IIS&nbsp;had played in this area before, even if they =
had not published</FONT><FONT face=3DArial size=3D2>&nbsp;on it. =
Share-nothing attitudes, though, won't get us very far as a community =
(which I'm sensing may not actually exist).</FONT></P>=0A=
<P><FONT face=3DArial size=3D2>Thanks,<BR></FONT><FONT face=3DArial =
size=3D2>Arshan</FONT></P>=0A=
<DIV dir=3Dltr>=0A=
<HR tabIndex=3D-1>=0A=
</DIV>=0A=
<DIV dir=3Dltr><FONT face=3DTahoma size=3D2><B>From:</B> Gunter Ollmann =
[mailto:gollmann@us.ibm.com]<BR><B>Sent:</B> Thu 5/29/2008 11:32 =
AM<BR><B>To:</B> Arshan Dabirsiaghi<BR><B>Cc:</B> Martin O'Neal; =
websecurity@webappsec.org<BR><B>Subject:</B> RE: [WEB SECURITY] =
Bypassing URL Authentication and Authorization with HTTP Verb =
Tampering<BR></FONT><BR></DIV>=0A=
<DIV>=0A=
<P><TT>"Arshan Dabirsiaghi" =
&lt;arshan.dabirsiaghi@aspectsecurity.com&gt; wrote on 05/29/2008 =
08:47:02 AM:<BR>&gt; &gt; The HTTP specification, RFC 2616 [1], =
specifies that HEAD requests<BR>&gt; should produce the same results as =
</TT><BR><TT>&gt; &gt; a GET request but with no response =
body.</TT><BR><TT>&gt; &nbsp;</TT><BR><TT>&gt; It's not that we expect =
anything else from HEAD, indeed it's doing <BR>&gt; exactly as the spec =
says - we're just alerting most people to its <BR>&gt; usefulness to =
attackers to access non-idempotent GETs behind URL <BR>&gt; =
authorization schemes. That is the fact that, which you may still =
<BR>&gt; not believe, is not well known. Of course that's just half the =
<BR>&gt; story, the other half is the vendor craziness when dealing with =
<BR>&gt; arbitrary HTTP verbs.</TT><BR><TT><BR>Now, I don't normally =
pipe up in these kinds of discussions, but I'm afraid I'm going to have =
to agree with Martin on this.</TT><BR><BR><TT>Your paper is a good =
summary of the problem, but lets not get caught up on any novelty of =
this vector.</TT><BR><BR><TT>Any of the pentesters I've worked with in =
the past decade will tell you how they use these techniques to bypass =
restricting authentication/authorization filtering. For example, the =
3-day "Ethical Hacking" training course given by ISS from 2001-2005 =
covered these techniques, and I believe that the NGS Software "Web =
Application (In)security" course's at Blackhat have covered/discussed it =
as well.</TT><BR><BR><TT>You'll also find a few bruteforce attack tools =
that will flip to HEAD etc. for launching attacks - but this is a little =
more to do with speed improvements and bandwidth constraints - but, at =
the end of the day, I can't agree with the assertion that this is not =
well known.</TT><BR><BR><TT>I don't have a copy handy, but you may also =
want to check out Dafydd Stuttard's and Marcus Pinto's book "The Web =
Application Hackers Handbook" </TT><TT><A =
href=3D"http://www.amazon.com/Web-Application-Hackers-Handbook-Discoverin=
g/dp/0470170778/ref=3Dsr_1_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D1212074361=
&amp;sr=3D8-1">http://www.amazon.com/Web-Application-Hackers-Handbook-Dis=
covering/dp/0470170778/ref=3Dsr_1_1?ie=3DUTF8&amp;s=3Dbooks&amp;qid=3D121=
2074361&amp;sr=3D8-1</A></TT><BR><BR><TT>Cheers,</TT><BR><BR><TT>Gunter</=
TT><BR><BR></P></DIV></BODY><!--[object_id=3D#aspectsecurity.com#]--></HT=
ML>
------_=_NextPart_001_01C8C1A4.7CD40088--

Follow-Ups:
- RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
  - From: Gunter Ollmann

References:
- RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
  - From: Gunter Ollmann

Prev by Date: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Next by Date: Re: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Previous by thread: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Next by thread: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site