Paper: Bypassing URL Authentication and Authorization with HTTP Verb Tampering
Arshan Dabirsiaghi has announced a new paper discussion switching HTTP VERBS to bypass authorization checking in certain web frameworks. In the paper he also outlines how some web frameworks default to allowing HTTP methods not explicitly defined as 'protected' resources. I highly recommend reading this paper as well as the mailing thread. While the concept of switching HTTP VERBS to evade authorization checks isn't new to everyone, some of the examples on .NET and .htaccess aren't widely discussed.
Paper Link: http://www.webappsec.org/lists/websecurity/archive/2008-05/msg00072.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.
All Comments are Moderated and will be delayed!
Post a comment