If this is true, it will be a very effective IDS evasion technique. Not sure how WAFs will react but many ids signatures do indeed look for GET/POST and not PUT. I'll test this against some WAFs and see what happens, next time im at work.
On Sun, Oct 28, 2012 at 11:35 AM, Robin Wood <[email protected]> wrote: > I've just been tidying up my tools and found a script which checks > which HTTP methods are enabled on a given site. I ran it against my > site and it said PUT is enabled. I know that it isn't so I manually > tested it and proved it wasn't enabled. I checked what it was actually > sending and it was trying to PUT to / so I tried that and got a 200 > back along with the content of my index page. I tried again with > another page and got the content of that page. > > So for some reason PUT is acting as a GET for pages which exist, I > checked OPTIONS and that is doing the same both of them only work with > HTTP 1.1, not 1.0. > > I've tried a few sites, apache.org, pauldotcom.com and microsoft.com > all fail but php.net gives back the content. > > nc php.net 80 > PUT / HTTP/1.1 > Host: php.net > > HTTP/1.1 200 OK > Date: Sun, 28 Oct 2012 15:30:30 GMT > . > . > . > > > If this common it might be a nice way to bypass IDS that are looking > for GET or HEAD methods or to bypass restrictions which lock out those > two methods. > > Comments? > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- _________________________________ Note to self: Pillage BEFORE burning.
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
