[Owasp-testing] Bypassing URL Authentication and Authorization with HTTP Verb Tampering
kevin.horvath at gmail.com
Sun Jun 1 21:21:03 EDT 2008
I believe this should go in the authentication testing section as a
testing technique. The HTTP methods section is meant for testing to
see if dangerous methods are allowed but this technique is to use
allowed methods to bypass authentication. Just my 2 cents.
On Sun, Jun 1, 2008 at 8:31 PM, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> as you know Arshan has just released a new interesting paper about
> "Bypassing URL Authentication and Authorization with HTTP Verb
> He agreed to include this new test in the Testing Guide.
> The question is, where we can add this new testing technique?
> In the paragraph: "Testing for HTTP Methods" or in
> "Authentication/Authorization" section?
> I personally think that is a new way to test for HTTP Method
> (manipulating the HTTP verb to bypass security controls), but what is
> your opinion?
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
More information about the Owasp-testing