Why HTTP Testing?

The HTTP methods can be used or nefarious purposes if the web server is mis-cofigured. Additionally Cross Site Tracing (XST), a form of cross site scripting using the server’s HTTP TRACE method, is used by attackers to get the credentials of authenticated users.

Other HTTP Methods are:-

HEAD

GET

POST

PUT

DELETE

TRACE

OPTIONS

CONNECT

Other Arbitrary Methods are = FOOBAR JEFF CATS etc.

HG PPD OC

HEAD Get POST PUT Delete Options Connect

Some of these methods can pose a security risk for the application as they allow an attacker to modify the files stored on the web server and in some scenarios steal the credentials of legitimate users.

PUT = This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files. (E.g an asp file that invokes cmd.exe or by simply using the victim’s server as a file repository)

DELETE = This method allows a client to delete a file on the web server. An attacker can exploit it as a simple and direct way to deface a web site or to mount a DoS attack.

CONNECT = This method could allow a client to use a web server as a proxy.

TRACE = This method simply echoes back to the client whatever string has been sent to the server and is used mainly for debugging purposes. This is used to mount an attack known as Cross Site Tracing which had been discovered by Jeremiah Grossman

If an application needs one or more of these methods, such as REST Web services (which may require PUT or DELETE) it is important to check that their usage is properly limited to trusted users and safe conditions.

Many frameworks and languages treat HEAD as a GET request without any body in response. If only authenticated users are allowed or a particular servlet or resource then it would be bypassed for the HEAD.

Some other framework allowed arbitrary HTTP methods such as “JEFF” and CATS to be used without limitation. They were treated as if a GET method was issued.

So there is a need for the code to explicitly check for a GET or POST method.

Black Box Testing of HTTP Methods

The OPTIONS HTTP method provides us with the most direct and effective way to do that. OPTIONS method requests for information about the communication options available on the request/resonse chain identified by the Request-URL.

The testing method is extremely straightforward and we only need to fire up netcat or telnet

TRACE method is used to bypass the HTTPOnly tag which forbids the javascript to access it but the TRACE method is used to bypass this protection and access the cookie. This is called Cross Site Scripting.

The attacker controlled web server gets the document cookie object for hijacking the victim’ session;

When we issue the TRACE command using telnet we get the copy of the commands issued in the end. This means that by using this an attacker can get information of cookie and then use java script though it is tagged as HTTPOnly

TESTING FOR ARBRITARY HTTP METHODS

Check whether the server accepts JEFF or not. If there is no issue of 405 not allowed or 501 not implemented error page then there is vulnerability.

Try one of the following to exploit fully

FOOBAR /admin/createUser.php?member=myAdmin

JEFF /admin/changePw.php?member=myAdmin&passwd=foo123&confirm=foo123

CATS /admin/groupEdit.php?group=Admins&member=myAdmin&action=add

With little luck by using the above combination we can create a new user and password can be assigned and made an admin.

Testing or HEAD access control bypass

Try url of a page that forces redirection to login and test this URL for HEAD request and see the response. If 302 is directed, then it is safe. If we get a 200 response then it is easy to bypass the authentication and thus authorization. If a 200 response code comes back and the response contains no

body then it is likely that the application has processed the request without authentication and urther testing is warranted.