[Owasp-testing] Bypassing URL Authentication and Authorizationwith HTTP Verb Tampering
arshan.dabirsiaghi at aspectsecurity.com
Sun Jun 1 22:04:43 EDT 2008
While the primary exploit scenarios will involve bypassing URL authentication and authorization, I believe it will be possible to use this technique for bypassing any security mechanism, depending on the configuration. To be practical, though, I agree - it should be in Authentication or Authorization, or both.
On a side note, does anybody on the list with access to SiteMinder that can test these techniques against Default Resource Protection protected & unprotected and see the behavior?
From: owasp-testing-bounces at lists.owasp.org on behalf of kevin horvath
Sent: Sun 6/1/2008 9:21 PM
To: Matteo Meucci
Subject: Re: [Owasp-testing] Bypassing URL Authentication and Authorizationwith HTTP Verb Tampering
I believe this should go in the authentication testing section as a
testing technique. The HTTP methods section is meant for testing to
see if dangerous methods are allowed but this technique is to use
allowed methods to bypass authentication. Just my 2 cents.
On Sun, Jun 1, 2008 at 8:31 PM, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> as you know Arshan has just released a new interesting paper about
> "Bypassing URL Authentication and Authorization with HTTP Verb
> He agreed to include this new test in the Testing Guide.
> The question is, where we can add this new testing technique?
> In the paragraph: "Testing for HTTP Methods" or in
> "Authentication/Authorization" section?
> I personally think that is a new way to test for HTTP Method
> (manipulating the HTTP verb to bypass security controls), but what is
> your opinion?
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing