Http Request Methods, the point of view of a attacker…

Some times I have difficulties trying to convince the sysadmins of the HTTP Request Methods importance.

What type of methods we should have enabled on the servers and for what they can be used for.

This text will be to show the point of view of the attacker  when he finds more than the necessary methods.

What are the HTTP Request Methods?

The  HTTP Request Methods are:

  • GET
  • POST
  • HEAD
  • TRACE
  • OPTIONS
  • CONNECT
  • PUT (WebDAV)
  • DELETE (WebDAV)

The GET request method:

This method is used to request pages from the server, is similar to the POST request method, the diference is that it uses the url to pass parameters to the application.

Attacker Point of view:

Can be bookmarked with parameters that should not be there. (session tracking parameters, authentication related parameters e.g.:session id)
The request is logged in the server logs and might be problematic for disclosure of information in those logs. e.g.: Server admins can have authentication information of the clients.
easier to script against this method. Easier XSS attacks.

The POST request method:

This method is used to request pages from the server, it is similar to the GET request method, the diference is that it uses the HTTP payload to pass the parameters.

Attacker point of view:

Still able to be manipulated.
If the application supports method intercharge can be changed to a GET for simpler scripting. (register_globals is one way this happens in PHP)

If interchange is possible it might allow easier XSS attacks. (easier scripting)

HEADER Request Method:

Instructs the server to only respond with HTTP headers.

Attacker point of view:

Allows the Attacker to test requests without waiting for the payload. (the data that the attacker is looking must reside on the HTTP header).

TRACE Request Method

Trace echoes the request as seen by the server to the client.

Attacker Point of view:

It allows the attacker to see any changes made by intermediate servers such as proxy. Allows to see any pieces of information that are added by intermediaries like load balancers and proxy servers.

Maps the architecture.
Changes to the request may be made by inbound or outbound proxies or Load Balancers.

OPTIONS Request Method:

IT asks the server which HTTP request methods are supported.

Attacker point of view:

Easy method of knowing what is supported by the server.

CONNECT Request Method:

Creates a HTTP tunnel for requests.

Attacker Point of View:

It is used by proxies, if you know the resources there is a change of trying to abuse the proxy to get access to applications that we should not normally be able to access. Can be used to connect to other resources behind the proxy.

It is used to establish SSL connections.

PUT and DELETE Request Methods

Are used for WEB-Based distributed Authoring and Versioning. (WebDAV), should not be used in public web Servers. (WebDAV has many other methods that will remain out of scope on this article). PUT is used to upload data to the server, Delete to remove data from the server.

Attacker point of view:

Imagine we can delete .htaccess file, a place where normally are stored all the configs and ACLs for a site, the attacker could remove controls that block access to the application.
Use the PUT to upload malicious code that can be executed on clients or server side!

Always disable methods that are not needed for our business needs.

Hope this information is useful to someone.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.