Comments on: Take HTTP Methods Out of Your Security Decisions

By: arshan dabirsiaghi

arshan dabirsiaghi — Mon, 23 Mar 2009 15:41:22 +0000

There’s no doubt that a few people knew of this technique years ago. The kernel panic paper Adam Muntner pointed out to me on web-sec was proof of that – regardless, I think it’s in common verbiage now. =]

By: kuza55

kuza55 — Mon, 23 Mar 2009 10:44:22 +0000

“This is so 2005″: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0495.html

I just stumbled upon that again, and thought I might post it here to show I wasn’t making shit up.

By: Good Times in Toronto « Trey Ford - Security Spin Control

Good Times in Toronto « Trey Ford - Security Spin Control — Thu, 17 Jul 2008 13:38:57 +0000

[...] great discussion on recent court rulings and Internet directed legislation, former war stories, if Arian is really an 8.5 on hot-or-not, and why proper creole spices aren’t sold in Canada. (no kidding mom, the guys up there [...]

By: arshan dabirsiaghi

arshan dabirsiaghi — Mon, 02 Jun 2008 15:03:33 +0000

@kuza, I disagree, and I think the amount of positive feedback we got proves our point.

@genghis, after hearing what’s on the in-room menus at Amsterdam hotels I’m ready to go anytime!

By: kuza55

kuza55 — Sun, 01 Jun 2008 02:10:03 +0000

@arshan:
And from that realisation to using other HTTP methods (including non-existent methods) is pretty trivial.

By: GenghisKhan

GenghisKhan — Fri, 30 May 2008 23:37:16 +0000

Hi Arshan,

Did you still have enough energy and time to travel to Amsterdam? Thnx for publishing the amazing whitepaper, video en blog. I’m actually rechecking a couple code-review assignments ( in idle time ) and considering to send a news-letter to costumers. Keep up the good work.

Hoop to see you on a another AMAZING! OWASP AppSecc event.

Genghis (Amsterdam)

By: arshan dabirsiaghi

arshan dabirsiaghi — Fri, 30 May 2008 01:01:41 +0000

@kuza55, GET/POST jumps are pretty trivial and the need for those jumps come up way more often than this. Rogan even made us a WebScarab script that automatically translates from one to another with certain triggers a few years ago, and it comes in quite handy.

By: kuza55

kuza55 — Thu, 29 May 2008 22:52:01 +0000

@arshan
Haha, I wish I could find a year to go along with it, but I can’t remember what year it was and I can’t seem to find the reference I saw to it atm (some hacking team’s site got owned because they were doing this, and they posted something (to a list probably…) saying this is how it happened since people thought it had been completely owned somehow, except in their case they had blocked GET, and the attacker had used POST, so I thought it was a pretty obvious leap from that to your paper), but I am still looking for it…

I’m not surprised that someone else came up with it, I’m surprised that it took people this long when it had been publicly mentioned before.

Oh, and this time I didn’t use the word lame (and have no plans to), I used the word spam :p I was honestly under the impression that many people would know about this.

By: arshan dabirsiaghi

arshan dabirsiaghi — Thu, 29 May 2008 12:13:54 +0000

@kuza, it doesn’t matter. I talked to a few people who know you better and they say this was a pretty standard response and that I shouldn’t get too worked up about it. =]

Though they predicted you would’ve said a year, i.e., “this is so 2005″, or something.

Either:
a) you did know it and you didn’t share it, or
b) you didn’t know and are trying to appear all knowing

If it’s a, then why on earth would it be surprising for someone else to discover it and write it up to share? Lame, even?

If it’s b, well, it’s b.

After something new comes out, you can always say you already knew it, and assholes always will. It’s a conveniently unverifiable way of claiming how el8 you are.

By: arshan dabirsiaghi

arshan dabirsiaghi — Thu, 29 May 2008 11:54:45 +0000

@niels, do you have any idea what circumstances allowed that behavior? Certain PHP/Apache versions?