How to Inadvertently allow attackers
full access to your web application
An attacker modifies the HTTP Verb
(e.g. GET, PUT, TRACE, DELETE, CONNECT, etc.) in order to bypass access
restrictions. Attackers can often provide a different HTTP Verb, or even
provide a random string as a verb in order to bypass these protections. This
allows the attacker to access data that should otherwise be protected.
Potential risks caused by verb tampering are cross site scripting, denial of
service, etc.
Probable root cause:
·
The security control fails to block verbs that are not
listed
·
It has GET functionality that is not idempotent or will
execute with an arbitrary
HTTP
verb
Probable Recommendations:
· Configure
your server to allow only required http methods
· Do not
use HTTP verbs as factors in access decisions
· Make
sure all functionality accessible through GET is idempotent
· Always
enable deny all option
All methods should be protected and they should not be
listed during rule creation
Also
Refer:
https://www.linkedin.com/pulse/how-inadvertently-allow-attackers-full-access-your-web-pradeep-m-shttps://www.linkedin.com/in/pradeep-m-s-699a2522/detail/recent-activity/shares/
No comments:
Post a Comment