« Cool hack: Man exploits random deposit verification flows to steal $50,000 | Main | ARP Spoofing leads to hijacking of metasploit website »

Paper: Bypassing URL Authentication and Authorization with HTTP Verb Tampering

Arshan Dabirsiaghi has announced a new paper discussion switching HTTP VERBS to bypass authorization checking in certain web frameworks. In the paper he also outlines how some web frameworks default to allowing HTTP methods not explicitly defined as 'protected' resources. I highly recommend reading this paper as well as the mailing thread. While the concept of switching HTTP VERBS to evade authorization checks isn't new to everyone, some of the examples on .NET and .htaccess aren't widely discussed.

Paper Link: http://www.webappsec.org/lists/websecurity/archive/2008-05/msg00072.html

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.


All Comments are Moderated and will be delayed!