Testing for existence of insecure HTTP Methods : TRACE, PUT, DELETE, CONNECT

[Sandeep Thakur]

HTTP offers a number of methods that can be used to perform actions on the web server. Many of theses methods are designed to aid developers in deploying and testing HTTP applications. These HTTP methods can be used for nefarious purposes if the web server is misconfigured. Additionally, Cross Site Tracing (XST), a form of cross site scripting using the server's HTTP TRACE method, is examined.

Short Description of the Issue

While GET and POST are by far the most common methods that are used to access information provided by a web server, the Hypertext Transfer Protocol (HTTP) allows several other (and somewhat less known) methods. RFC 2616 (which describes HTTP version 1.1 which is the today standard) defines the following eight methods:

• HEAD
• GET
• POST
• PUT
• DELETE
• TRACE
• OPTIONS
• CONNECT

Some of these methods can potentially pose a security risk for a web application, as they allow an attacker to modify the files stored on the web server and, in some scenarios, steal the credentials of legitimate users. More specifically, the methods that should be disabled are the following:

• PUT: This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files (e.g.: an asp file that executes commands by invoking cmd.exe), or by simply using the victim's server as a file repository
• DELETE: This method allows a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to mount a DoS attack
• CONNECT: This method could allow a client to use the web server as a proxy
• TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes. This method, originally assumed harmless, can be used to mount an attack known as Cross Site Tracing, which has been discovered by Jeremiah Grossman (see links at the bottom of the page)

If an application needs one or more of these methods, such as REST Web Services (which may require PUT or DELETE), it is important to check that their usage is properly limited to trusted users and safe conditions.

For more information on performing blackbox testing of HTTP Methods:

http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)

 

 

 

Regards

Sandeep Thakur

[kishore kumar]

PUT and DELETE can cause lot of damage if one can exploit them.

put.pl is a tool which can be used to upload stuff if PUT method is enabled which can be found at http://digitaloffense.net/tools/

There is one more tool to test and exploit if PUT and DELETE are enabled.
WINIE from http://jigsaw.w3.org/Winie/  for some reasons site is not accessible from my end. I am attaching the file anyways. Find the attachment.
Extarct the rar file, In winie folder, open the jars folder and access winie.jar.

BE careful from doing it in production environment.

--
You received this message because you are subscribed to the Google Groups "nforceit" group.
To post to this group, send an email to nfor...@googlegroups.com.
To unsubscribe from this group, send email to nforceit+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.

--
Regards,
kishore sangaraju