[Owasp-testing] Bypassing URL Authentication and Authorizationwith HTTP Verb Tampering
gsiere at comcast.net
gsiere at comcast.net
Mon Jun 2 21:31:54 EDT 2008
Expanding on Arshan's Bypassing URL Authorization thought, anyone see any benefit to documenting techniques for trying to bypass "outbound" filtering - (like in form of a web proxy)?
example - recently beat outbound filtering by DWORD encoding the target ipaddress, and also by adding certain special characters to the end of the (prohibited) URL. I'm sure that other filters apps could be beat by any number of URL encoding schemes.
Little different slant than Arshan's verb tampering.
Food for thought.
-George Sieretzki
-------------- Original message --------------
From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com>
While the primary exploit scenarios will involve bypassing URL authentication and authorization, I believe it will be possible to use this technique for bypassing any security mechanism, depending on the configuration. To be practical, though, I agree - it should be in Authentication or Authorization, or both.
On a side note, does anybody on the list with access to SiteMinder that can test these techniques against Default Resource Protection protected & unprotected and see the behavior?
Cheers,
Arshan
-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org on behalf of kevin horvath
Sent: Sun 6/1/2008 9:21 PM
To: Matteo Meucci
Cc: owasp-testing
Subject: Re: [Owasp-testing] Bypassing URL Authentication and Authorizationwith HTTP Verb Tampering
I believe this should go in the authentication testing section as a
testing technique. The HTTP methods section is meant for testing to
see if dangerous methods are allowed but this technique is to use
allowed methods to bypass authentication. Just my 2 cents.
Kevin
On Sun, Jun 1, 2008 at 8:31 PM, Matteo Meucci <matteo.meucci at gmail.com> wrote:
> Hi,
> as you know Arshan has just released a new interesting paper about
> "Bypassing URL Authentication and Authorization with HTTP Verb
> Tampering".
> He agreed to include this new test in the Testing Guide.
> The question is, where we can add this new testing technique?
> In the paragraph: "Testing for HTTP Methods" or in
> "Authentication/Authorization" section?
> I personally think that is a new way to test for HTTP Method
> (manipulating the HTTP verb to bypass security controls), but what is
> your opinion?
>
> Thanks,
> Mat
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080603/fd391b46/attachment.html
-------------- next part --------------
An embedded message was scrubbed...
From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com>
Subject: Re: [Owasp-testing] Bypassing URL Authentication and
Authorizationwith HTTP Verb Tampering
Date: Mon, 2 Jun 2008 02:09:36 +0000
Size: 855
Url: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080603/fd391b46/attachment.mht
More information about the Owasp-testing
mailing list