PUT and ARSE responses with bodys reproduced on one of my Apache/2.2.14 (Ubuntu) servers.
On Mon, Oct 29, 2012 at 10:50 AM, Robin Wood <[email protected]> wrote: > On 28 October 2012 15:57, allison nixon <[email protected]> wrote: >> If this is true, it will be a very effective IDS evasion technique. Not >> sure how WAFs will react but many ids signatures do indeed look for GET/POST >> and not PUT. I'll test this against some WAFs and see what happens, next >> time im at work. > > I've just checked and you can send any word as a method and as long as > the page exists you get a 200 and the content back on both my site and > php.net, for example I just sent it the ARSE method and got a page > back. > > Robin > > >> On Sun, Oct 28, 2012 at 11:35 AM, Robin Wood <[email protected]> wrote: >>> >>> I've just been tidying up my tools and found a script which checks >>> which HTTP methods are enabled on a given site. I ran it against my >>> site and it said PUT is enabled. I know that it isn't so I manually >>> tested it and proved it wasn't enabled. I checked what it was actually >>> sending and it was trying to PUT to / so I tried that and got a 200 >>> back along with the content of my index page. I tried again with >>> another page and got the content of that page. >>> >>> So for some reason PUT is acting as a GET for pages which exist, I >>> checked OPTIONS and that is doing the same both of them only work with >>> HTTP 1.1, not 1.0. >>> >>> I've tried a few sites, apache.org, pauldotcom.com and microsoft.com >>> all fail but php.net gives back the content. >>> >>> nc php.net 80 >>> PUT / HTTP/1.1 >>> Host: php.net >>> >>> HTTP/1.1 200 OK >>> Date: Sun, 28 Oct 2012 15:30:30 GMT >>> . >>> . >>> . >>> >>> >>> If this common it might be a nice way to bypass IDS that are looking >>> for GET or HEAD methods or to bypass restrictions which lock out those >>> two methods. >>> >>> Comments? >>> >>> Robin >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> >> >> -- >> _________________________________ >> Note to self: Pillage BEFORE burning. >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
