[Owasp-testing] HTTP TRACK and WEBDAV

Dave van Stein dvstein at gmail.com
Mon Jun 9 08:33:17 EDT 2008

Talking about new thing/ways to test .. Did anybody see this blog:
It's about using existing, available .js or other resource for generating
XSS and thus bypassing 'script filtering' and other blacklisting methods ...

Very interesting and also something to at least mention in the manual ?


2008/6/9 <gsiere at comcast.net>:

>  All,
> Ref HTTP Method Section 4.3.8
> Has anyone seen HTTP "TRACK" method enabled when "TRACE" was not?  Would it
> make sense to test for "TRACK" separately?  From what I've seen, TRACK
> behaves pretty much like TRACE - so you should be able to get an XST attack
> from it -  but I've only seen both or none.  I guess it might be a way to
> circumvent an ACL or filter if TRACE is prohibited?
> Also, how about all the WEBDAV methods like LOCK, COPY, MOVE, etc?
> http://www.webdav.org/specs/rfc2518.html#rfc.section.4.4
> Is there a single method you can check to see if WEBDAV is enabled at all
> (like maybe PROPFIND)? (assuming something like OPTIONS doesn't already tell
> you)?  I havn't seen this too often, and was going to research this a little
> but thought someone might already have some insight.
> -George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080609/aced342f/attachment.html 

More information about the Owasp-testing mailing list