VBAAC Bypass – Verb Based Authentication and Access Control.

This post would be dedicated to VBAAC bypass which is detailed in the ongoing research documentation I had been doing. The part of this series belongs to ‘Web Application Exploitation’ and has been pinned to this post for personal purpose of reference. Work had just exploded and for the need to trace back everything that is being done, everything about the paper goes here. The belongings of this post are entirely devoted for personal research. The blog itself is personal.

What is covered in VBAAC Bypass:

  • Concept of Server Side controls.
  • HTTP RFC’s for ‘verbs’.
  • WebDAV ‘verbs’ or ‘methods’.
  • Access control mechanisms via apache.
  • Configuring Apache to make use of access control mechanism configurations.
  • Using .htaccess file for access control mechanism.
  • Example JSP webserver based web.xml configuration.
  • Example protected resource based .htaccess configuration for apache servers.
  • Snippet application code for VBAAC bypass.
  • Authentication v/s Authorization for apache web-servers
  • Techniques to bypass ‘methods’ or ‘verbs’.
  • Bypass via HEAD
  • Bypass via arbitrary ‘verb’
  • Application server side configuration based ‘verb’ bypass.
  • Defeating Authentication and hence Authorization via verb based bypass techniques.

The entire documentation encircles creating a web application first, prior to bypassing authentication on them. Because URL based authentication are protect resources on ‘Basic’ or ‘Digest’ authentication, a very brief knowledge on HTTP standardized ‘verb’ is provided. This would be required throughout the document processing. A good amount of WebDAV verbs are also provided with attached RFC’s. Samples of the work is attached below and is for private purposes only. The document isn’t public.


Verb 0


Verb 1


Verb 2


Verb 3


Verb 4


Verb 5


Had a great day going ahead and improving drafting skills and had been undergoing good grip onto web application penetration testing from within the corporate companies. The point of the research is to bring back the real penetration testing scenario around the general and aware the security eroded cultural mis-aware people out there. Have a great weekend ahead!

Looking for intellectual opinions. Feedbacks are welcome!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s