[Owasp-testing] how to disable WebDAV in IIS 6.0

Tue Jun 10 00:21:46 EDT 2008

Hi everyone,

i want to know how to disable WebDAV in IIS 6.0 running on windows platform.Eagerly waiting for some suggestions.

regards,
subhasis

On Mon, 09 Jun 2008 owasp-testing-request at lists.owasp.org wrote :
Send Owasp-testing mailing list submissions to
	owasp-testing at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.owasp.org/mailman/listinfo/owasp-testing
or, via email, send a message with subject or body 'help' to
	owasp-testing-request at lists.owasp.org

You can reach the person managing the list at
	owasp-testing-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Owasp-testing digest..."

Today's Topics:

   1. HTTP TRACK and WEBDAV (gsiere at comcast.net)
   2. Re: HTTP TRACK and WEBDAV (Dave van Stein)
   3. Re: Updated Index draft (kevin horvath)
   4. Re: Updated Index draft (rick.mitchell at bell.ca)

----------------------------------------------------------------------

Message: 1
Date: Mon, 09 Jun 2008 12:17:59 +0000
From: gsiere at comcast.net
Subject: [Owasp-testing] HTTP TRACK and WEBDAV
To: Daniel Cuthbert 
Cc: owasp-testing 
Message-ID:

Content-Type: text/plain; charset="us-ascii"

All,

Ref HTTP Method Section 4.3.8

Has anyone seen HTTP "TRACK" method enabled when "TRACE" was not?  Would it make sense to test for "TRACK" separately?  From what I've seen, TRACK behaves pretty much like TRACE - so you should be able to get an XST attack from it -  but I've only seen both or none.  I guess it might be a way to circumvent an ACL or filter if TRACE is prohibited?

Also, how about all the WEBDAV methods like LOCK, COPY, MOVE, etc?  http://www.webdav.org/specs/rfc2518.html#rfc.section.4.4

Is there a single method you can check to see if WEBDAV is enabled at all (like maybe PROPFIND)? (assuming something like OPTIONS doesn't already tell you)?  I havn't seen this too often, and was going to research this a little but thought someone might already have some insight.

-George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080609/79fd667d/attachment-0001.html 

------------------------------

Message: 2
Date: Mon, 9 Jun 2008 14:33:17 +0200
From: "Dave van Stein" 
Subject: Re: [Owasp-testing] HTTP TRACK and WEBDAV
To: owasp-testing 
Message-ID:

Content-Type: text/plain; charset="iso-8859-1"

Talking about new thing/ways to test .. Did anybody see this blog:
http://0x000000.com/index.php?i=590&bin=1001001110
It's about using existing, available .js or other resource for generating
XSS and thus bypassing 'script filtering' and other blacklisting methods ...

Very interesting and also something to at least mention in the manual ?

Dave

2008/6/9 :

>  All,
>
> Ref HTTP Method Section 4.3.8
>
> Has anyone seen HTTP "TRACK" method enabled when "TRACE" was not?  Would it
> make sense to test for "TRACK" separately?  From what I've seen, TRACK
> behaves pretty much like TRACE - so you should be able to get an XST attack
> from it -  but I've only seen both or none.  I guess it might be a way to
> circumvent an ACL or filter if TRACE is prohibited?
>
> Also, how about all the WEBDAV methods like LOCK, COPY, MOVE, etc?
> http://www.webdav.org/specs/rfc2518.html#rfc.section.4.4
>
> Is there a single method you can check to see if WEBDAV is enabled at all
> (like maybe PROPFIND)? (assuming something like OPTIONS doesn't already tell
> you)?  I havn't seen this too often, and was going to research this a little
> but thought someone might already have some insight.
>
> -George
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-testing/attachments/20080609/aced342f/attachment-0001.html 

------------------------------

Message: 3
Date: Mon, 9 Jun 2008 10:15:05 -0400
From: "kevin horvath" 
Subject: Re: [Owasp-testing] Updated Index draft
To: "Daniel Cuthbert" 
Cc: owasp-testing 
Message-ID:

Content-Type: text/plain; charset=UTF-8

I agree that no matter which route we take on this or anything else in
regards to the guide we should be consistent throughout.  Since I
believe this guide is targeted to the professional ethical hacker it
should be written in a more professional manner, as such I will update
my sections to reflect the "3rd person" more formal writing style.

Thanks again for the feedback!

Kevin

On Mon, Jun 9, 2008 at 7:42 AM, Daniel Cuthbert
 wrote:
> Whilst the industry might have become slack with the use of english,
> business hasn't, especially when it comes to delivering reports that are
> read by senior management and board level members. There is nothing worse
> than a informal report being given to a client and them wondering if they
> indeed are actually dealing with a professional business person or a hacker.
>
> On 09 Jun 2008, at 12:36 PM, gsiere at comcast.net wrote:
>
> Dan,
>
> It's been a while since I was in school, but yes, usually one would use "3rd
> person" for formal writing.  However - I think writing, especially within
> our security community, has gotten a lot less formal - which is ok.  We
> should probably just stay consistent throughout the document though.
>
> -George
>
>
> -------------- Original message --------------
> From: "Dave van Stein" 
> All,
>
> I have a general question which concerns all chapters of the manual.
>
> In reviewing Kevin's piece I noticed the usage of 'I' and 'you'. Since I am
> not a native English speaker I don't know about the rules in technical
> english writing about this, but in my language this is considered
> unprofessional and should be avoided at all times.
>
> Can someone clear this up for me ? Is that 'allowed' or professional in the
> english language ?
>
> regards, dave
>
>
>
> 2008/6/7 kevin horvath :
>>
>> Thank you for your responses.  As for the GET requests I intended the
>> proxy to be used for all requests not just the POST's. In the
>> description I say that I trap every request and every response
>> additionally I also note that every interesting GET/POST should be
>> recorded in the spreadsheet and cross referenced to the request number
>> in the proxy.  Although I will look at it again to try to make sure it
>> is more clear so that new readers to the project don't misunderstand
>> it.  Thanks again for all the help so far as it is very much
>> appreciated.
>>
>> Kevin
>>
>> On Sat, Jun 7, 2008 at 7:00 AM, Matteo Flora  wrote:
>> > On Fri, Jun 6, 2008 at 9:42 PM, kevin horvath 
>> > wrote:
>> >> I know everyone is busy writing but if anyone could help and do a
>> >
>> > Non everybody is busy writing. Someone is READING :)
>> >
>> >> quick review of one of my sections I would appreciate it.
>> >
>> > Nice work, really.
>> >
>> > If only I'm allowed a little side-note I've seen you've suggested the
>> > use of webapp proxies for analyzing POST requests. It should, in my
>> > opinion, be clarified that use of proxies (or browser plugins) are a
>> > good methodology all-over even in GET requests.
>> >
>> > More and more over, in fact, as you know GET and POSTs are manipuleted
>> > or generated via JS and a clear imagine of what happens behind the< BR>>
>> > courtains of the code even taking a look at the page source. Add to
>> > this multiple JS inclusion, a little bit of obfuscation (think about
>> > Google Analytics scripts) and some fast redirect (as in Tivoli Access
>> > Manager, for example) and I think anyone will understand why WebScarab
>> > and/or Tamperdata and/or [include_your_fave_app_here] is vital...
>> > ...and better not forget those pesky little Iframes that always get
>> > neglected when you don't use a proxy...
>> >
>> > I know you use prokies, I see only the oportunity for doing some
>> > gentle concept bashing into the minds of "newbies" and people seeking
>> > a good start in a testing methodology :)
>> >
>> > Of course these are just my $0.02 (or ?.0012 at the actual exchange rate
>> > =])
>> >
>> > Matteo. (the OTHER italian Matteo)
>> >
>> > --
>> > Matteo G.P. Flora // www.matteoflora.com // mf(at)mat teoflora(dot)com
>> > Security Consultant and New Media Strategic Consultant
>> >
>> > Profile www.linkedin.com/in/matteoflora || Blog www.lastknight.com ||
>> > Twitter www.twitter.com/lastknight || Facebook
>> > http://www.facebook.com/profile.php?id=502992052
>> >
>> _______________________________________________
>> Owasp-testing mailing list
>> Owasp-testing at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
> From: "Dave van Stein" 
> Date: 07 June 2008 7:56:50 PM
> To: "kevin horvath" 
> Cc: owasp-testing 
> Subject: Re: [Owasp-testing] Updated Index draft
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
>
>

------------------------------

Message: 4
Date: Mon, 9 Jun 2008 11:52:10 -0400
From: 
Subject: Re: [Owasp-testing] Updated Index draft
To: 
Message-ID: 
Content-Type: text/plain; charset="us-ascii"

Hi Kevin & everyone,

A few things come to mind, none of which are specific to Kevin's
article.

1) I'd suggest we don't use "and/or" is looks indecisive/quick/messy.
I've got an illustrative example here if you care to take a look:
https://www.owasp.org/index.php/User:Rick.mitchell#.22and.2For.22_Explan
ation

2) We need to come up with a standard for section naming conventions
(this isn't unique to your article). wikipedia suggests only leading
caps however I think the overall plan here is to publish this as a *.doc
and *.pdf once complete so I suggest full title caps.

3) I suggest we add some sort of tag to the index page
(https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Content
s) similar to the "(new)" and "(toimp)" tags to indicate when sections
are ready to be reviewed. Perhaps (100), (toreview), or (reviewpls).

4) I agree we should attempt to write in the third person (as has been
discussed already).

5) If we're going to use slang terms like "automagically" we should
agree on a formatting scheme (unerline, italics, quoted, or whatever).

Other than that the article is in good shape. I made some minor edits
which you can see via the following diff:
https://www.owasp.org/index.php?title=Testing%3A_Identify_application_en
try_points&diff=30882&oldid=30711

Rick

------------------------------

_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-testing

End of Owasp-testing Digest, Vol 15, Issue 6
********************************************

--
Subhasis Choudhury
Information Security Consultant
M: 9891074602
     9971747603 