[Owasp-testing] Bypassing URL Authentication and Authorization with HTTP Verb Tampering

kevin horvath kevin.horvath at gmail.com
Sun Jun 1 21:21:03 EDT 2008

I believe this should go in the authentication testing section as a
testing technique.  The HTTP methods section is meant for testing to
see if dangerous methods are allowed but this technique is to use
allowed methods to bypass authentication.  Just my 2 cents.


On Sun, Jun 1, 2008 at 8:31 PM, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> Hi,
> as you know Arshan has just released a new interesting paper about
> "Bypassing URL Authentication and Authorization with HTTP Verb
> Tampering".
> He agreed to include this new test in the Testing Guide.
> The question is, where we can add this new testing technique?
> In the paragraph: "Testing for HTTP Methods" or in
> "Authentication/Authorization" section?
> I personally think that is a new way to test for HTTP Method
> (manipulating the HTTP verb to bypass security controls), but what is
> your opinion?
> Thanks,
> Mat
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing

More information about the Owasp-testing mailing list