Arshan Dabirsiaghi has announced a new paper discussion switching HTTP VERBS to bypass authorization checking in certain web frameworks.
In the paper he also outlines how some web frameworks default to allowing HTTP methods not explicitly defined as 'protected'
resources. I highly recommend
reading this paper as well as the mailing thread. While the concept of switching HTTP VERBS to evade authorization checks
isn't new to everyone, some of the examples on .NET and .htaccess aren't widely discussed.
Paper Link: http://www.webappsec.org/lists/websecurity/archive/2008-05/msg00072.html
