Other questions spring to mind. How do servers deal with query strings or posted data? What about other less used HTTP methods? My gut feeling is that it would be treated like a GET request, time for some testing.
Jim On Oct 29, 2012 12:04 AM, "allison nixon" <[email protected]> wrote: > If this is true, it will be a very effective IDS evasion technique. Not > sure how WAFs will react but many ids signatures do indeed look for > GET/POST and not PUT. I'll test this against some WAFs and see what > happens, next time im at work. > > On Sun, Oct 28, 2012 at 11:35 AM, Robin Wood <[email protected]> wrote: > >> I've just been tidying up my tools and found a script which checks >> which HTTP methods are enabled on a given site. I ran it against my >> site and it said PUT is enabled. I know that it isn't so I manually >> tested it and proved it wasn't enabled. I checked what it was actually >> sending and it was trying to PUT to / so I tried that and got a 200 >> back along with the content of my index page. I tried again with >> another page and got the content of that page. >> >> So for some reason PUT is acting as a GET for pages which exist, I >> checked OPTIONS and that is doing the same both of them only work with >> HTTP 1.1, not 1.0. >> >> I've tried a few sites, apache.org, pauldotcom.com and microsoft.com >> all fail but php.net gives back the content. >> >> nc php.net 80 >> PUT / HTTP/1.1 >> Host: php.net >> >> HTTP/1.1 200 OK >> Date: Sun, 28 Oct 2012 15:30:30 GMT >> . >> . >> . >> >> >> If this common it might be a nice way to bypass IDS that are looking >> for GET or HEAD methods or to bypass restrictions which lock out those >> two methods. >> >> Comments? >> >> Robin >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > _________________________________ > Note to self: Pillage BEFORE burning. > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
