Take HTTP Methods Out of Your Security Decisions
The first thing you have to do is go read the whitepaper (or watch the movie) we just put together on some research I did into bypassing authentication and authorization mechanisms with HTTP verb tampering.
It’s only been out for about 2 hours and we’ve already got a few thousand hits. Pretty cool! Ok, assuming you’re up to speed, let’s talk about some of aspects of it we couldn’t fit into the paper.
How I Found It
I was teaching J2EE developers how to write secure code on the road down south, and in my breaks and lunch I was looking at Tomcat 6.x source code for, um, for fun. After finding a handful of other vulnerabilities, I saw this snippet:
protected void doHead(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { NoBodyResponse response = new NoBodyResponse(resp);
doGet(req, response); response.setContentLength();
}There’s half of the whole thing in a nutshell. HEAD is a silent backdoor to GET in all the web servers. The fact that you can specify JEFF/BBQ/VAJAJAY as your verb and get forwarded to GET handlers in some situations is the second half, and that hilarity we only discovered after the fact.
Blackbox Testing
When I was bouncing the concept off JG the first thing he tried to figure out was how one could detect a bypassable VBAAC mechanism from a blackbox perspective. He said timing, which is right. Send in a GET request, a HEAD request and a JEFF request and compare the timing results. It’s almost certain that if the attack worked with the HEAD or JEFF request, then it would take longer to complete those requests when compared to the GET (which is ostensibly protected). I think this is right, but there might be an easier, less noisy way.
If you make a request for a protected resource, you probably get a default or slightly customized 403 error page delivered by the web or application server. The chances are the response will be standard and have standard header values. However, the HEAD request, if it is successful, will return the real header values of the identical GET request. If that GET was sensitive, it’s headers are probably going to be different regarding content-type, caching, etc.
Stupidity
This is a stupid, stupid, stupid vulnerability to find in 2008. It’s almost criminally negligent for the vendors to put out mechanisms that are so prone to misuse – and it’s negligent that it took us this long to find it! But who knows, maybe the “bad guys” have known for a while.
Credits
- Jeff Williams, who should have his name on the paper as much as mine at this point, but refuses credit.
- Jim Manico for setting up some testing environments in a hurry.
- Jeremiah Grossman, who, for having as recognizable a name as any in security, is always happy to hear ideas from other people.
- Arian Evans, who has been flirting with this subject for a few years and is totally an 8.5+ on Hot or Not.
- pdp, who after talking with him in Belgium said that he did something similar to bypass some security in one of his various router hacking sessions (prior art).
- Everyone else I’ve been talking to and trying to get feedback from over the last few weeks – thanks for keeping it under wraps, although, as you can see from the comments of my last post, the information did make it outside my circle of trust. But for the security community, keeping something a secret for a few weeks is quite an accomplishment!
Rogan Dawes said,
Wrote on May 28, 2008 @ 6:01 pm
The reason this works is not entirely surprising. The HTTP RFC states that certain methods *should* be considered to be idempotent: see http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
In my opinion, it is the fault of the application developers for using methods that should be “side-effect free” to actually do real work.
As they say in the classics: “Ignorance (of the spec) is no excuse”
kuza55 said,
Wrote on May 28, 2008 @ 8:31 pm
Yay, more needless paper spam, this time about things many people know and have been using in the wild for years….
kuza55 said,
Wrote on May 28, 2008 @ 8:36 pm
Eh, should read your posts as well as the paper, yes the “bad guys” and the actual bad guys, have known about this for a looooong time, and frankly I think everyone who knew about it expected the “good guys” to know it as well.
arshan dabirsiaghi said,
Wrote on May 28, 2008 @ 11:04 pm
@kuza55, when will you share your endless knowledge with the rest of the world? I talked to a lot of people about this, including:
jeremiah grossman
arian evans
mario
pdp
stefano di paulo
… to make sure it was new. It was news all to them. Maybe they’re not so concerned with having the image of being hooked into this massive, non-existent underground of el8 hackers to pretend they know everything, or you just know more than all of us put together. I wonder which it is?
arshan dabirsiaghi said,
Wrote on May 28, 2008 @ 11:08 pm
Yes Rogan – unsafe GETs are pretty much everywhere. The spec protected itself in this respect and therefore you can’t put much blame on the vendors. However, the vendors passing through arbitrary HTTP verbs is pretty inexcusable.
arshan dabirsiaghi said,
Wrote on May 28, 2008 @ 11:14 pm
@kuza55, looks like it was news also to Billy Hoffman, who’s the closest thing to a totaly offensive minded/”bad guy” I know.
http://www.memestreams.net/users/acidus/blogid10327874/
Plz oh plz share with us your great knowledge of underground tricks. How about if we incentivize it? $50 for every great trick you can’t find on the Internet anywhere. With all your massive skills that should be pretty easy money?
kuza55 said,
Wrote on May 29, 2008 @ 1:11 am
@arshan:
I am pretty surprised that it was news to all of them…Maybe it’s not as well known as I’d thought, my bad.
I don’t disclose things that aren’t mine to tell (otherwise I wouldn’t get told anything would I?), or all of my stuff, and I don’t really plan on changing that; instead let me and find the reference I saw to that being used in the wild to hack a site a few years ago, I’ll post a comment here when I find it
Niels Teusink said,
Wrote on May 29, 2008 @ 3:47 am
Most .htaccess tutorials seem to get it wrong and only limit GET and POST. We have found that in some cases, sending an OPTIONS request to a (.htaccess GET/POST protected) .php script will work as an authentication bypass, returning the full body.
arshan dabirsiaghi said,
Wrote on May 29, 2008 @ 6:54 am
@niels, do you have any idea what circumstances allowed that behavior? Certain PHP/Apache versions?
arshan dabirsiaghi said,
Wrote on May 29, 2008 @ 7:13 am
@kuza, it doesn’t matter. I talked to a few people who know you better and they say this was a pretty standard response and that I shouldn’t get too worked up about it. =]
Though they predicted you would’ve said a year, i.e., “this is so 2005″, or something.
Either:
a) you did know it and you didn’t share it, or
b) you didn’t know and are trying to appear all knowing
If it’s a, then why on earth would it be surprising for someone else to discover it and write it up to share? Lame, even?
If it’s b, well, it’s b.
After something new comes out, you can always say you already knew it, and assholes always will. It’s a conveniently unverifiable way of claiming how el8 you are.
kuza55 said,
Wrote on May 29, 2008 @ 5:52 pm
@arshan
Haha, I wish I could find a year to go along with it, but I can’t remember what year it was and I can’t seem to find the reference I saw to it atm (some hacking team’s site got owned because they were doing this, and they posted something (to a list probably…) saying this is how it happened since people thought it had been completely owned somehow, except in their case they had blocked GET, and the attacker had used POST, so I thought it was a pretty obvious leap from that to your paper), but I am still looking for it…
I’m not surprised that someone else came up with it, I’m surprised that it took people this long when it had been publicly mentioned before.
Oh, and this time I didn’t use the word lame (and have no plans to), I used the word spam :p I was honestly under the impression that many people would know about this.
arshan dabirsiaghi said,
Wrote on May 29, 2008 @ 8:01 pm
@kuza55, GET/POST jumps are pretty trivial and the need for those jumps come up way more often than this. Rogan even made us a WebScarab script that automatically translates from one to another with certain triggers a few years ago, and it comes in quite handy.
GenghisKhan said,
Wrote on May 30, 2008 @ 6:37 pm
Hi Arshan,
Did you still have enough energy and time to travel to Amsterdam? Thnx for publishing the amazing whitepaper, video en blog. I’m actually rechecking a couple code-review assignments ( in idle time
) and considering to send a news-letter to costumers. Keep up the good work.
Hoop to see you on a another AMAZING! OWASP AppSecc event.
Genghis (Amsterdam)
kuza55 said,
Wrote on May 31, 2008 @ 9:10 pm
@arshan:
And from that realisation to using other HTTP methods (including non-existent methods) is pretty trivial.
arshan dabirsiaghi said,
Wrote on June 2, 2008 @ 10:03 am
@kuza, I disagree, and I think the amount of positive feedback we got proves our point.
@genghis, after hearing what’s on the in-room menus at Amsterdam hotels I’m ready to go anytime!
Good Times in Toronto « Trey Ford - Security Spin Control said,
Wrote on July 17, 2008 @ 8:38 am
[...] great discussion on recent court rulings and Internet directed legislation, former war stories, if Arian is really an 8.5 on hot-or-not, and why proper creole spices aren’t sold in Canada. (no kidding mom, the guys up there [...]
kuza55 said,
Wrote on March 23, 2009 @ 5:44 am
“This is so 2005″: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0495.html
I just stumbled upon that again, and thought I might post it here to show I wasn’t making shit up.
arshan dabirsiaghi said,
Wrote on March 23, 2009 @ 10:41 am
There’s no doubt that a few people knew of this technique years ago. The kernel panic paper Adam Muntner pointed out to me on web-sec was proof of that – regardless, I think it’s in common verbiage now. =]