WebApp Sec mailing list archives

RE: HTTP CONNECT and WebDav Authentication

From: "Kevin Spett" <kspett () spidynamics com>
Date: Tue, 16 Sep 2003 11:30:40 -0400

The CONNECT method is described here:
http://asg.web.cmu.edu/rfc/rfc2616.html#sec-9.9

Auth for WebDAV is handled by the webserver using normal HTTP auth solutions
like Basic, Digest, integrated NTLM on IIS, etc.



Kevin Spett
SPI Labs
http://www.spidynamics.com/

-----Original Message-----
From: webappsecquestions () hushmail com
[mailto:webappsecquestions () hushmail com]
Sent: Monday, September 15, 2003 10:29 PM
To: webappsec () securityfocus com
Subject: HTTP CONNECT and WebDav Authentication

Can anyone explain to me what HTTP Connect allows and how
someone would
exploit a site that has it enabled ?

Also how does authentication work with WebDav ? ie if the
DELETE method
is enabled, how does the web server authenticate a request to delete
a file and where is that username and password kept.

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Current thread:

HTTP CONNECT and WebDav Authentication webappsecquestions (Sep 15)
- RE: HTTP CONNECT and WebDav Authentication Kevin Spett (Sep 16)