[Owasp-testing] Bypassing URL Authentication and Authorizationwith HTTP Verb Tampering
Arshan Dabirsiaghi
arshan.dabirsiaghi at aspectsecurity.com
Sun Jun 1 22:04:43 EDT 2008
While the primary exploit scenarios will involve bypassing URL authentication and authorization, I believe it will be possible to use this technique for bypassing any security mechanism, depending on the configuration. To be practical, though, I agree - it should be in Authentication or Authorization, or both.
On a side note, does anybody on the list with access to SiteMinder that can test these techniques against Default Resource Protection protected & unprotected and see the behavior?
Cheers,
Arshan
-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org on behalf of kevin horvath
Sent: Sun 6/1/2008 9:21 PM
To: Matteo Meucci
Cc: owasp-testing
Subject: Re: [Owasp-testing] Bypassing URL Authentication and Authorizationwith HTTP Verb Tampering
I believe this should go in the authentication testing section as a
testing technique. The HTTP methods section is meant for testing to
see if dangerous methods are allowed but this technique is to use
allowed methods to bypass authentication. Just my 2 cents.
Kevin
On Sun, Jun 1, 2008 at 8:31 PM, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> Hi,
> as you know Arshan has just released a new interesting paper about
> "Bypassing URL Authentication and Authorization with HTTP Verb
> Tampering".
> He agreed to include this new test in the Testing Guide.
> The question is, where we can add this new testing technique?
> In the paragraph: "Testing for HTTP Methods" or in
> "Authentication/Authorization" section?
> I personally think that is a new way to test for HTTP Method
> (manipulating the HTTP verb to bypass security controls), but what is
> your opinion?
>
> Thanks,
> Mat
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080601/aa80e496/attachment.html
More information about the Owasp-testing
mailing list