PaulDotCom mailing list archives
Re: HTTP GETs with a PUT
From: Ryan Dewhurst <ryandewhurst () gmail com>
Date: Mon, 29 Oct 2012 14:48:52 +0100
PUT and ARSE responses with bodys reproduced on one of my Apache/2.2.14 (Ubuntu) servers. On Mon, Oct 29, 2012 at 10:50 AM, Robin Wood <robin () digininja org> wrote:
On 28 October 2012 15:57, allison nixon <elsakoo () gmail com> wrote:If this is true, it will be a very effective IDS evasion technique. Not sure how WAFs will react but many ids signatures do indeed look for GET/POST and not PUT. I'll test this against some WAFs and see what happens, next time im at work.I've just checked and you can send any word as a method and as long as the page exists you get a 200 and the content back on both my site and php.net, for example I just sent it the ARSE method and got a page back. RobinOn Sun, Oct 28, 2012 at 11:35 AM, Robin Wood <robin () digininja org> wrote:I've just been tidying up my tools and found a script which checks which HTTP methods are enabled on a given site. I ran it against my site and it said PUT is enabled. I know that it isn't so I manually tested it and proved it wasn't enabled. I checked what it was actually sending and it was trying to PUT to / so I tried that and got a 200 back along with the content of my index page. I tried again with another page and got the content of that page. So for some reason PUT is acting as a GET for pages which exist, I checked OPTIONS and that is doing the same both of them only work with HTTP 1.1, not 1.0. I've tried a few sites, apache.org, pauldotcom.com and microsoft.com all fail but php.net gives back the content. nc php.net 80 PUT / HTTP/1.1 Host: php.net HTTP/1.1 200 OK Date: Sun, 28 Oct 2012 15:30:30 GMT . . . If this common it might be a nice way to bypass IDS that are looking for GET or HEAD methods or to bypass restrictions which lock out those two methods. Comments? Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- _________________________________ Note to self: Pillage BEFORE burning. _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- HTTP GETs with a PUT Robin Wood (Oct 28)
- Re: HTTP GETs with a PUT allison nixon (Oct 28)
- Re: HTTP GETs with a PUT Jim Halfpenny (Oct 29)
- Re: HTTP GETs with a PUT Robin Wood (Oct 29)
- Re: HTTP GETs with a PUT Ryan Dewhurst (Oct 29)
- Re: HTTP GETs with a PUT anthony kasza (Oct 28)
- Re: HTTP GETs with a PUT Robin Wood (Oct 29)
- Re: HTTP GETs with a PUT allison nixon (Oct 28)