[Owasp-testing] HTTP TRACK and WEBDAV
gsiere at comcast.net
gsiere at comcast.net
Mon Jun 9 08:17:59 EDT 2008
All,
Ref HTTP Method Section 4.3.8
Has anyone seen HTTP "TRACK" method enabled when "TRACE" was not? Would it make sense to test for "TRACK" separately? From what I've seen, TRACK behaves pretty much like TRACE - so you should be able to get an XST attack from it - but I've only seen both or none. I guess it might be a way to circumvent an ACL or filter if TRACE is prohibited?
Also, how about all the WEBDAV methods like LOCK, COPY, MOVE, etc? http://www.webdav.org/specs/rfc2518.html#rfc.section.4.4
Is there a single method you can check to see if WEBDAV is enabled at all (like maybe PROPFIND)? (assuming something like OPTIONS doesn't already tell you)? I havn't seen this too often, and was going to research this a little but thought someone might already have some insight.
-George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080609/79fd667d/attachment.html
More information about the Owasp-testing
mailing list