Testing http methods using Telnet
Download as DOCX, PDF2 likes9,842 views
The HTTP methods can pose security risks if not properly configured. Attackers may use Cross Site Tracing (XST) via the TRACE method to steal user credentials. PUT, DELETE, and CONNECT methods could allow attackers to upload malicious files, delete files to deface sites, or use the server as a proxy. It is important to limit these methods to trusted users under safe conditions. The OPTIONS method provides information about available communication options, which can be used for testing. Testing arbitrary methods like "JEFF" and "CATS" could exploit vulnerabilities if the server allows them without limitations like GET. Testing the HEAD method without authentication can bypass login requirements if it returns a 200 response without requiring authentication.
Testing http methods using Telnet
- 1. Why HTTP Testing? The HTTP methods can be used or nefarious purposes if the web server is mis-cofigured. Additionally Cross Site Tracing (XST), a form of cross site scripting using the server’s HTTP TRACE method, is used by attackers to get the credentials of authenticated users. Other HTTP Methods are:HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT Other Arbitrary Methods are = FOOBAR JEFF CATS etc. HG PPD OC HEAD Get POST PUT Delete Options Connect Some of these methods can pose a security risk for the application as they allow an attacker to modify the files stored on the web server and in some scenarios steal the credentials of legitimate users. PUT = This method allows a client to upload new files on the web server. An attacker can exploit it by uploading malicious files. (E.g an asp file that invokes cmd.exe or by simply using the victim’s server as a file repository) DELETE = This method allows a client to delete a file on the web server. An attacker can exploit it as a simple and direct way to deface a web site or to mount a DoS attack. CONNECT = This method could allow a client to use a web server as a proxy. TRACE = This method simply echoes back to the client whatever string has been sent to the server and is used mainly for debugging purposes. This is used to mount an attack known as Cross Site Tracing which had been discovered by Jeremiah Grossman
- 2. If an application needs one or more of these methods, such as REST Web services (which may require PUT or DELETE) it is important to check that their usage is properly limited to trusted users and safe conditions. Many frameworks and languages treat HEAD as a GET request without any body in response. If only authenticated users are allowed or a particular servlet or resource then it would be bypassed for the HEAD. Some other framework allowed arbitrary HTTP methods such as “JEFF” and CATS to be used without limitation. They were treated as if a GET method was issued. So there is a need for the code to explicitly check for a GET or POST method. Black Box Testing of HTTP Methods The OPTIONS HTTP method provides us with the most direct and effective way to do that. OPTIONS method requests for information about the communication options available on the request/resonse chain identified by the Request-URL. The testing method is extremely straightforward and we only need to fire up netcat or telnet TRACE method is used to bypass the HTTPOnly tag which forbids the javascript to access it but the TRACE method is used to bypass this protection and access the cookie. This is called Cross Site Scripting. The attacker controlled web server gets the document cookie object for hijacking the victim’ session;
- 3. When we issue the TRACE command using telnet we get the copy of the commands issued in the end. This means that by using this an attacker can get information of cookie and then use java script though it is tagged as HTTPOnly TESTING FOR ARBRITARY HTTP METHODS Check whether the server accepts JEFF or not. If there is no issue of 405 not allowed or 501 not implemented error page then there is vulnerability. Try one of the following to exploit fully FOOBAR /admin/createUser.php?member=myAdmin JEFF /admin/changePw.php?member=myAdmin&passwd=foo123&confirm=foo123 CATS /admin/groupEdit.php?group=Admins&member=myAdmin&action=add With little luck by using the above combination we can create a new user and password can be assigned and made an admin. Testing or HEAD access control bypass Try url of a page that forces redirection to login and test this URL for HEAD request and see the response. If 302 is directed, then it is safe. If we get a 200 response then it is easy to bypass the authentication and thus authorization. If a 200 response code comes back and the response contains no
- 4. body then it is likely that the application has processed the request without authentication and urther testing is warranted.