[Owasp-testing] HTTP TRACK and WEBDAV

Dave van Stein dvstein at gmail.com
Mon Jun 9 15:05:13 EDT 2008


ehmm ... I'd vote for Cross site function stealing ...

2008/6/9 <gsiere at comcast.net>:

> I like it!  Just...what do you call this??
>
> Cross Site Script Abuse?
> Cross Site Function Stealing?
> Cross Site Script Overloading?
>
> -George
>
>
> -------------- Original message --------------
> From: "Dave van Stein" <dvstein at gmail.com>
> Talking about new thing/ways to test .. Did anybody see this blog:
> http://0x000000.com/index.php?i=590&bin=1001001110
> It's about using existing, available .js or other resource for generating
> XSS and thus bypassing 'script filtering' and other blacklisting methods ...
>
> Very interesting and also something to at least mention in the manual ?
>
> Dave
>
>
>
>
> 2008/6/9 <gsiere at comcast.net>:
>
>>  All,
>>
>> Ref HTTP Method Section 4.3.8
>>
>> Has anyone seen HTTP "TRACK" method enabled when "TRACE" was not?  Would
>> it make sense to test for "TRACK" separately?  From what I've seen, TRACK
>> behaves pretty much like TRACE - so you should be able to get an XST attack
>> from it -  but I've only seen both or none.  I guess it might be a way to
>> circumvent an ACL or filter if TRACE is prohibited?
>>
>> Also, how about all the WEBDAV methods like LOCK, COPY, MOVE, etc?
>> http://www.webdav.org/specs/rfc2518.html#rfc.section.4.4
>>
>> Is there a single method you can check to see if WEBDAV is enabled at all
>> (like maybe PROPFIND)? (assuming something like OPTIONS doesn't already tell
>> you)?  I havn't seen this too often, and was going to research this a little
>> but thought someone might already have some insight.
>>
>> -George
>>
>
>
>
> ---------- Doorgestuurd bericht ----------
> From: "Dave van Stein" <dvstein at gmail.com>
> To: owasp-testing <owasp-testing at lists.owasp.org>
> Date: Mon, 9 Jun 2008 12:33:25 +0000
> Subject: Re: [Owasp-testing] HTTP TRACK and WEBDAV
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080609/f2dda4fb/attachment-0001.html 


More information about the Owasp-testing mailing list