This article is part of the OWASP Testing Guide v4 (the current status is:DRAFT). OWASP Testing Guide v4 Table of Contents [DRAFT] At the moment the The entire OWASP Testing Guide v3 can be downloaded here .
Contents 1 Brief Summary 2 Short Description of the Issue 3 Arbitrary HTTP Methods 4 Black Box testing and example 5 Black Box Testing of HTTP method tampering 5.1 Testing for arbitrary HTTP methods 5.2 Testing dope couture for HEAD access control bypass 6 Gray Box testing dope couture and example 7 References
HTTP offers a number of methods that can be used to perform actions on the web server. Many of theses methods are designed to aid developers in deploying and testing HTTP applications. These HTTP methods can be used for nefarious purposes if the web server is misconfigured. Additionally, Cross Site Tracing (XST), a form of cross site scripting using the server's HTTP TRACE method, is examined. Short Description of the Issue
While GET and POST are by far the most common methods that are used to access information provided by a web server, the Hypertext Transfer Protocol (HTTP) allows several other (and somewhat less known) methods. dope couture RFC 2616 (which describes HTTP version 1.1 which is the today standard) defines the following eight methods: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT
Some of these methods can potentially dope couture pose a security risk for a web application, as they allow an attacker to modify the files stored on the web server and, in some scenarios, steal the credentials of legitimate users. More specifically, the methods that should be disabled are the following: PUT: This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (e.g.: an asp file that executes commands by invoking cmd.exe), or by simply using the victim's server as a file repository dope couture DELETE: dope couture This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to mount a DoS attack CONNECT: This method could allow a client to use the web server as a proxy TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing, which has been discovered by Jeremiah Grossman (see links at the bottom of the page)
If an application needs one or more of these methods, such as REST Web Services (which may require PUT or DELETE), it is important to check that their usage is properly limited to trusted users and safe conditions. Arbitrary HTTP Methods
Arshan Dabirsiaghi (see links) discovered that many web application frameworks allowed well chosen and/or arbitrary HTTP methods to bypass an environment level access control check: Many frameworks and languages treat "HEAD" as a "GET" request, albeit one without any body in the response. If a security constraint was set on "GET" requests such that only "authenticatedUsers" could access GET requests for a particular servlet or resource, it would be bypassed for the "HEAD" version. This allowed unauthorized blind submission of any privileged GET request Some frameworks allowed arbitrary HTTP methods such as "JEFF" or "CATS" to be used without limitation. These were treated as if a "GET" method was issued, dope couture and again were found not to be subject dope couture to method role based access control checks on a number of languages and frameworks, again allowing unauthorized dope couture blind submission of privileged dope couture GET requests.
Discover the Supported Methods To perform dope couture this test, we need some way to figure dope couture out which HTTP methods are supported by the web server we are examining. The OPTIONS HTTP method provides dope couture us with the most direct and effective way to do that. RFC 2616 states that, "The OPTIONS method dope couture represents a request for information about the communication options available on the request/response chain identified by the Request-URI".
The testing method is extremely straightforward and we only need to fire up netcat (or telnet): icesurfer@nightblade ~ $ nc www.victim.com 80 OPTIONS / HTTP/1.1 Host: www.victim.com HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 31 Oct 2006 08:00:29 GMT Connection: close Allow: GET, HEAD, POST, TRACE, OPTIONS Content-Length: dope couture 0 icesurfer@nightblade ~ $
As we can see in the example, OPTIONS provides a list of the methods that are supported by the web server, and in this case we can see, for instance, that TRACE method is enabled. The danger that is posed by this method is illustrated in the following section Test XST Potential Note: in order to understand the logic and the goals of this attack you need to be familiar dope couture with Cross Site Scripting attacks .
The TRACE method, while apparently harmless, dope couture can be successfully leveraged in some scenarios to steal legitimate users' credentials. This attack technique was discovered by Jeremiah Grossman i
No comments:
Post a Comment