[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

From: Gunter Ollmann <gollmann@xxxxxxxxxx>
Subject: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Date: Thu, 29 May 2008 13:10:13 -0400

--0__=0ABBFECBDFC8E71A8f9e8a93df938690918c0ABBFECBDFC8E71A
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: quoted-printable


Hi Ashran...
"Arshan Dabirsiaghi" <arshan.dabirsiaghi@aspectsecurity.com> wrote on
05/29/2008 11:55:59 AM:
> we're not claiming to invent verb tampering. I was personally taken
> aback when I actually looked at the RFC and tested the various
> vendors. I simply could not believe anyone else had not done this.

And you we're right, you shouldn't have believed that anyone else had n=
ot
already done this. You may want to note that several IDS/IPS vendors ha=
d
already crafted rules/signatures/decodes within their products to prote=
ct
against the malicious forms of the vector - not because it was an unkno=
wn.
In future testing you may want to also evaluate how some of the mainstr=
eam
IDS/IPS technologies protect against the vector. I'd be curious.

> There was nothing we could find that pointed to other people doing th=
is
before
> Verb tampering is something that we thought many pen testers (and
> some tools, like Sentinel) have done at some point, but not as part
> of any standard methodology or to specifically evade a particular
mechanism
> I'm actually a little relieved to see that NGS and IIS had played in
> this area before, even if they had not published on it. Share-
> nothing attitudes, though, won't get us very far as a community
> (which I'm sensing may not actually exist).

I'm sorry, but you're kidding right? Just because you couldn't find it =
on a
search engine you appear to be asserting that the knowledge hasn't been=
 in
use or isn't shared. This is not the case from my perspective. Like you=

mention, tools and pentesters are aware of this vector and have made us=
e of
it for consulting purposes. This isn't a black art - or it would have h=
ad
to have been discovered independently by hundreds of consultants.

I also don't believe that "Share-nothing" attitudes apply here. Like I
stated in the earlier email some consulting companies refer to it in th=
eir
public courses, and I've fairly positive that you'll find aspects of it=
 in
multiple books on pentesting and application testing (as a bullet point=

perhaps?). Something that's not free or easy-to-Google-for does not
necessarily mean that it's not already public.

Granted, it may not be in the current OWASP guide - but that's what
revisions are for, and sure, it should form a documented test case. But=

it's also not a case of "the sky is falling".

You wrote a nice paper describing the problem and the vector and I
congratulate you on that - I know personally how much effort goes in to=

doing papers like this - and you've made the problem visible to a few m=
ore
people. But lets leave it at that - there are plenty of other security
problems seeking solutions...

Cheers,

Gunter
=

--0__=0ABBFECBDFC8E71A8f9e8a93df938690918c0ABBFECBDFC8E71A
Content-type: text/html; charset=US-ASCII
Content-Disposition: inline
Content-transfer-encoding: quoted-printable

<html><body>
<p>Hi Ashran...<br>
<tt>&quot;Arshan Dabirsiaghi&quot; &lt;arshan.dabirsiaghi@aspectsecurit=
y.com&gt; wrote on 05/29/2008 11:55:59 AM:<br>
&gt; we're not claiming to invent verb tampering. I was personally take=
n <br>
&gt; aback when I actually looked at the RFC and tested the various <br=
>
&gt; vendors. I simply could not believe anyone else had not done this.=
 <br>
</tt><br>
<tt>And you we're right, you shouldn't have believed that anyone else h=
ad not already done this. You may want to note that several IDS/IPS ven=
dors had already crafted rules/signatures/decodes within their products=
 to protect against the malicious forms of the vector - not because it =
was an unknown. In future testing you may want to also evaluate how som=
e of the mainstream IDS/IPS technologies protect against the vector. I'=
d be curious.</tt><br>
<br>
<tt>&gt; There was nothing we could find that pointed to other people d=
oing this before</tt><br>
<tt>&gt; Verb tampering is something that we thought many pen testers (=
and <br>
&gt; some tools, like Sentinel) have done at some point, but not as par=
t <br>
&gt; of any standard methodology or to specifically evade a particular =
mechanism</tt><br>
<tt>&gt; I'm actually a little relieved to see that NGS and IIS had pla=
yed in<br>
&gt; this area before, even if they had not published on it. Share-<br>=

&gt; nothing attitudes, though, won't get us very far as a community <b=
r>
&gt; (which I'm sensing may not actually exist).</tt><br>
<br>
<tt>I'm sorry, but you're kidding right? Just because you couldn't find=
 it on a search engine you appear to be asserting that the knowledge ha=
sn't been in use or isn't shared. This is not the case from my perspect=
ive. Like you mention, tools and pentesters are aware of this vector an=
d have made use of it for consulting purposes. This isn't a black art -=
 or it would have had to have been discovered independently by hundreds=
 of consultants.</tt><br>
<br>
<tt>I also don't believe that &quot;Share-nothing&quot; attitudes apply=
 here. Like I stated in the earlier email some consulting companies ref=
er to it in their public courses, and I've fairly positive that you'll =
find aspects of it in multiple books on pentesting and application test=
ing (as a bullet point perhaps?). Something that's not free or easy-to-=
Google-for does not necessarily mean that it's not already public.</tt>=
<br>
<br>
<tt>Granted, it may not be in the current OWASP guide - but that's what=
 revisions are for, and sure, it should form a documented test case. Bu=
t it's also not a case of &quot;the sky is falling&quot;.</tt><br>
<br>
<tt>You wrote a nice paper describing the problem and the vector and I =
congratulate you on that - I know personally how much effort goes in to=
 doing papers like this - and you've made the problem visible to a few =
more people. But lets leave it at that - there are plenty of other secu=
rity problems seeking solutions...</tt><br>
<br>
<tt>Cheers,</tt><br>
<br>
<tt>Gunter</tt><br>
<br>
</body></html>=

--0__=0ABBFECBDFC8E71A8f9e8a93df938690918c0ABBFECBDFC8E71A--

References:
- RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
  - From: Arshan Dabirsiaghi

Prev by Date: Re: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Next by Date: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Previous by thread: RE: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Next by thread: Re: [WEB SECURITY] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site