[Owasp-testing] HTTP TRACK and WEBDAV

gsiere at comcast.net gsiere at comcast.net
Mon Jun 9 08:17:59 EDT 2008


Ref HTTP Method Section 4.3.8

Has anyone seen HTTP "TRACK" method enabled when "TRACE" was not?  Would it make sense to test for "TRACK" separately?  From what I've seen, TRACK behaves pretty much like TRACE - so you should be able to get an XST attack from it -  but I've only seen both or none.  I guess it might be a way to circumvent an ACL or filter if TRACE is prohibited?

Also, how about all the WEBDAV methods like LOCK, COPY, MOVE, etc?  http://www.webdav.org/specs/rfc2518.html#rfc.section.4.4

Is there a single method you can check to see if WEBDAV is enabled at all (like maybe PROPFIND)? (assuming something like OPTIONS doesn't already tell you)?  I havn't seen this too often, and was going to research this a little but thought someone might already have some insight.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080609/79fd667d/attachment.html 

More information about the Owasp-testing mailing list