On 28 October 2012 15:57, allison nixon <[email protected]> wrote: > If this is true, it will be a very effective IDS evasion technique. Not > sure how WAFs will react but many ids signatures do indeed look for GET/POST > and not PUT. I'll test this against some WAFs and see what happens, next > time im at work.
I've just checked and you can send any word as a method and as long as the page exists you get a 200 and the content back on both my site and php.net, for example I just sent it the ARSE method and got a page back. Robin > On Sun, Oct 28, 2012 at 11:35 AM, Robin Wood <[email protected]> wrote: >> >> I've just been tidying up my tools and found a script which checks >> which HTTP methods are enabled on a given site. I ran it against my >> site and it said PUT is enabled. I know that it isn't so I manually >> tested it and proved it wasn't enabled. I checked what it was actually >> sending and it was trying to PUT to / so I tried that and got a 200 >> back along with the content of my index page. I tried again with >> another page and got the content of that page. >> >> So for some reason PUT is acting as a GET for pages which exist, I >> checked OPTIONS and that is doing the same both of them only work with >> HTTP 1.1, not 1.0. >> >> I've tried a few sites, apache.org, pauldotcom.com and microsoft.com >> all fail but php.net gives back the content. >> >> nc php.net 80 >> PUT / HTTP/1.1 >> Host: php.net >> >> HTTP/1.1 200 OK >> Date: Sun, 28 Oct 2012 15:30:30 GMT >> . >> . >> . >> >> >> If this common it might be a nice way to bypass IDS that are looking >> for GET or HEAD methods or to bypass restrictions which lock out those >> two methods. >> >> Comments? >> >> Robin >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > > > -- > _________________________________ > Note to self: Pillage BEFORE burning. > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
