This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for HTTP Verb Tampering (OTG-INPVAL-003)"
(Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == <br> ..here: we describe in "natural language" what we want to test. <br> == Description of the Issue == <br> ...her...") |
Ben Walther (talk | contribs) m |
||
| Line 4: | Line 4: | ||
== Brief Summary == | == Brief Summary == | ||
<br> | <br> | ||
| − | .. | + | The HTTP specification includes request methods other than the de-facto standard GET and POST requests. A standards compliant web server may respond to these alternative methods in ways not anticipated by developers. |
| + | |||
| + | Although the common description is 'verb' tampering, the HTTP 1.1 standard refers to these request types as different HTTP 'methods.' | ||
<br> | <br> | ||
== Description of the Issue == | == Description of the Issue == | ||
<br> | <br> | ||
| − | ... | + | The full HTTP 1.1 specification [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html] defines the following valid HTTP request methods, or verbs: |
| + | <pre> | ||
| + | OPTIONS | ||
| + | GET | ||
| + | HEAD | ||
| + | POST | ||
| + | PUT | ||
| + | DELETE | ||
| + | TRACE | ||
| + | CONNECT | ||
| + | </pre> | ||
| + | |||
| + | However, most web applications only need to respond to GET and POST requests - providing user data in the URL query string or appended to the request, respectively. The standard <code><a href=""></a></code> style links trigger a GET request; form data submitted via <code><form method='POST'></form></code> trigger POST requests. Forms defined without a method also send data via GET by default. | ||
| + | |||
| + | Oddly, the other valid HTTP methods are not supported by the HTML standard [http://www.w3.org/TR/REC-html40/interact/forms.html#h-17.13.1]. Any HTTP method other than GET or POST needs to be calletd outside the HTML document. However, JavaScript and AJAX calls may send methods other than GET and POST. | ||
| + | |||
| + | As long as the web application being tested does not specifically call for any non-standard HTTP methods, testing for HTTP verb tampering is quite simple. If the server accepts a request other than GET or POST, the test fails. The solutions is to disable all non GET or POST functionality within the web application server, or in a web application firewall. | ||
| + | |||
<br> | <br> | ||
== Black Box testing and example == | == Black Box testing and example == | ||
| − | + | <br>Because the HTML standard does not support request methods other than GET or POST, we will need to craft our own HTTP requests to test the other methods. We highly recommend using a tool to do this, although we will demonstrate how to do <br> | |
| − | . | ||
| − | |||
| − | |||
== References == | == References == | ||
'''Whitepapers'''<br> | '''Whitepapers'''<br> | ||
Revision as of 14:46, 20 August 2013
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
Brief Summary
The HTTP specification includes request methods other than the de-facto standard GET and POST requests. A standards compliant web server may respond to these alternative methods in ways not anticipated by developers.
Although the common description is 'verb' tampering, the HTTP 1.1 standard refers to these request types as different HTTP 'methods.'
Description of the Issue
The full HTTP 1.1 specification [1] defines the following valid HTTP request methods, or verbs:
OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT
However, most web applications only need to respond to GET and POST requests - providing user data in the URL query string or appended to the request, respectively. The standard <a href=""></a> style links trigger a GET request; form data submitted via <form method='POST'></form> trigger POST requests. Forms defined without a method also send data via GET by default.
Oddly, the other valid HTTP methods are not supported by the HTML standard [2]. Any HTTP method other than GET or POST needs to be calletd outside the HTML document. However, JavaScript and AJAX calls may send methods other than GET and POST.
As long as the web application being tested does not specifically call for any non-standard HTTP methods, testing for HTTP verb tampering is quite simple. If the server accepts a request other than GET or POST, the test fails. The solutions is to disable all non GET or POST functionality within the web application server, or in a web application firewall.
Black Box testing and example
Because the HTML standard does not support request methods other than GET or POST, we will need to craft our own HTTP requests to test the other methods. We highly recommend using a tool to do this, although we will demonstrate how to do
References
Whitepapers
...
Tools
...
