The HTTP methods can pose security risks if not properly configured. Attackers may use Cross Site Tracing (XST) via the TRACE method to steal user credentials. PUT, DELETE, and CONNECT methods could allow attackers to upload malicious files, delete files to deface sites, or use the server as a proxy. It is important to limit these methods to trusted users under safe conditions. The OPTIONS method provides information about available communication options, which can be used for testing. Testing arbitrary methods like "JEFF" and "CATS" could exploit vulnerabilities if the server allows them without limitations like GET. Testing the HEAD method without authentication can bypass login requirements if it returns a 200 response without requiring authentication.
1. Why HTTP Testing?
The HTTP methods can be used or nefarious purposes if the web server is mis-cofigured. Additionally
Cross Site Tracing (XST), a form of cross site scripting using the serverâs HTTP TRACE method, is used by
attackers to get the credentials of authenticated users.
Other HTTP Methods are:HEAD
GET
POST
PUT
DELETE
TRACE
OPTIONS
CONNECT
Other Arbitrary Methods are = FOOBAR JEFF CATS etc.
HG PPD OC
HEAD Get POST PUT Delete Options Connect
Some of these methods can pose a security risk for the application as they allow an attacker to modify
the files stored on the web server and in some scenarios steal the credentials of legitimate users.
PUT = This method allows a client to upload new files on the web server. An attacker can exploit it by
uploading malicious files. (E.g an asp file that invokes cmd.exe or by simply using the victimâs server as a
file repository)
DELETE = This method allows a client to delete a file on the web server. An attacker can exploit it as a
simple and direct way to deface a web site or to mount a DoS attack.
CONNECT = This method could allow a client to use a web server as a proxy.
TRACE = This method simply echoes back to the client whatever string has been sent to the server and is
used mainly for debugging purposes. This is used to mount an attack known as Cross Site Tracing which
had been discovered by Jeremiah Grossman
2. If an application needs one or more of these methods, such as REST Web services (which may require
PUT or DELETE) it is important to check that their usage is properly limited to trusted users and safe
conditions.
Many frameworks and languages treat HEAD as a GET request without any body in response. If only
authenticated users are allowed or a particular servlet or resource then it would be bypassed for the
HEAD.
Some other framework allowed arbitrary HTTP methods such as âJEFFâ and CATS to be used without
limitation. They were treated as if a GET method was issued.
So there is a need for the code to explicitly check for a GET or POST method.
Black Box Testing of HTTP Methods
The OPTIONS HTTP method provides us with the most direct and effective way to do that. OPTIONS
method requests for information about the communication options available on the request/resonse
chain identified by the Request-URL.
The testing method is extremely straightforward and we only need to fire up netcat or telnet
TRACE method is used to bypass the HTTPOnly tag which forbids the javascript to access it but the
TRACE method is used to bypass this protection and access the cookie. This is called Cross Site Scripting.
The attacker controlled web server gets the document cookie object for hijacking the victimâ session;
3. When we issue the TRACE command using telnet we get the copy of the commands issued in the end.
This means that by using this an attacker can get information of cookie and then use java script though it
is tagged as HTTPOnly
TESTING FOR ARBRITARY HTTP METHODS
Check whether the server accepts JEFF or not. If there is no issue of 405 not allowed or 501 not
implemented error page then there is vulnerability.
Try one of the following to exploit fully
FOOBAR /admin/createUser.php?member=myAdmin
JEFF /admin/changePw.php?member=myAdmin&passwd=foo123&confirm=foo123
CATS /admin/groupEdit.php?group=Admins&member=myAdmin&action=add
With little luck by using the above combination we can create a new user and password can be assigned
and made an admin.
Testing or HEAD access control bypass
Try url of a page that forces redirection to login and test this URL for HEAD request and see the
response. If 302 is directed, then it is safe. If we get a 200 response then it is easy to bypass the
authentication and thus authorization. If a 200 response code comes back and the response contains no
4. body then it is likely that the application has processed the request without authentication and urther
testing is warranted.