HTTP Methods Tampering and using automated bash script to verb tamper.

HTTP Verb Tampering

Okay, so I had done some research on verbs tampering lately, and most of you could get this information in the floating web. What’s not included is the fact that there are really three relevant methods to tamper and byass the VBAAC (Verb Based Authentication and Access Control) which is a security descriptor in and contains a security rule specified under certain web environments. To make the process easy and flexible, here is a small bash script one could use:

 

 

The 3 possible ways to bypass VBAAC are:

a.) Via the HEAD Verb (as a request method)

b.) Via any arbitary method (but the calling function should not rely on a servlet {HttpServlet} but instead any service e.g: JSP service etc .. )

c.) Insecure Security Constraints on vendor based security rule descriptors.

The following code would take you (as a web application penetration tester) to test if certain entry points using common request methods are allowed are not, if allowed, you would be prompted with the “RESPONSE” with use of “OPTIONS” as a request header (if at all OPTIONS is allowed, obviously!), if not, this script would try to get response for all the provided methods in the ‘webservmethod’, if methods are not allowed, you would see “Method Not Allowed” in the response.

#!/bin/bash

for webservmethod in OPTIONS  GET  POST  PROPFIND ;
do
printf "$webservmethod";
printf " ";
printf "$webservmethod / HTTP/1.1nHost:$1nn"|nc $1 80 | grep "200";
done

Consider giving this script a

‘chmod +x’

Also consider not using special chars in-between, it highly is sensitive to the $1 and Host: input fileds. Enjoy!

Advertisements

Looking for intellectual opinions. Feedbacks are welcome!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s