i Testing for HTTP Verb Tampering – All things in moderation

Testing for HTTP Verb Tampering

Summary

The HTTP specification includes request other than the standard GET and POST request.A standards compliant web server may respond to these alternative methods in ways not anticipated by developers.

Method Description
GET Retrieve information from the given server using URI
HEAD Same GET, but no entity-body
POST Send data to server
PUT Request server to store the included entity-body at location secified by the given URL
DELETE Delete file on the web server
CONNECT Establish new network connection to a web server over HTTP
OPTIONS Find out the HTTP methods and other options supported by web server
TRACE Performs a message loop-back test along the path to the target resource

If enabled, the Web Distributed Authoring and Version(WebDAV-extention of the HTTP ) permit serveral more HTTP methods

Method Description
PROFIND Used to retrieve properties, stored as XML, from a web resource
MKCOL Used to create collections
COPY Used to copy a resource from one URI to another
PROPPATCH Set and/or remove properties defined on the resource indentified by the Requet-URI
COPY Used to copy a resource from one URI to another
MOVE Used to move a resource from one URI to another
LOCK Used to put a lock on a resource
UNLOCK Used to remove lock on resource
  • If web server accepts a request other than GET or POST , the test fails. Solution: disable all non GET or POST functionality within the web application server, or in a web app firewall.

 

  • If use methods such as HEAD or OPTIONS need:
  • verified that these alternate methods do not trigger actions without proper authentication or reveal infor about the contents or working web app
  • limit alternate HTTP usage to a single page that contains no user actions

 

 

How to test

Manual HTTP verb tampering testing

    	nc -v [host] 80
    	[method] / [resource] HTTP/1.x
    	ex:
    	nc -v ketqua.net
    	HEAD / HTTP/1.0

Speed up testing:
create file test.txt
Store all request in a file separate by blank line
Ex: type request in file test.txt

     	     OPTIONS /index.html HTTP/1.1
             host: www.example.com

             OPTIONS /index.html HTTP/1.1
             host: www.example.com

run: nc www.example.com 80 < test.txt

Automated HTTP verb tampering testing

If you are able to analyze your application via HTTP status codes (200OK, 501 Erro,etc) the the following bash script will test all avaiable HTTP methods .

		#!/bin/bash

for webservmethod in GET POST PUT TRACE CONNECT OPTIONS PROPFIND;

do
printf "$webservmethod " ;
printf "$webservmethod / HTTP/1.1nHost: $1nn" | nc -q 1 $1 80 |
grep "HTTP/1.1"

done

Run :

[email protected]:~# ./test.txt vnexpress.net

Source : https://www.owasp.org/index.php/Testing_for_HTTP_Verb_Tampering_%28OTG-INPVAL-003%29

Leave a Reply