Bypassing VBAAC With HTTP Verb Tampering

WhlLe aper - 8ypasslng v8AAC wlLh P11 verb 1amperlng
AspecL SecurlLy | www.aspecLsecurlLy.com

1 1
Bypassing Web Authentication anu
Authoiization with BTTP veib
Tampeiing:
Bow to inauveitently allow attackeis full access
to youi web application
Arshan uablrslaghl, ulrecLor of 8esearch, AspecL SecurlLy
arshan.dablrslaghl[aspecLsecurlLy.com
Introduction
Many web envlronmenLs allow verb-based auLhenLlcaLlon and access conLrol (v8AAC). 1he rules for
Lhese securlLy conLrols lnvolve uslng Lhe P11 verb (also called meLhod), such as CL1 or CS1, as parL of
a securlLy declslon. lor example, Lhe !ava LL web.xml flle can speclfy a securlLy consLralnL as follows:
<security-constraint>
<web-resource-collection>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

1hls rule llmlLs access Lo Lhe /admln dlrecLory Lo users wlLh Lhe admln" role. Many LuLorlals and publlc
examples of secure conflguraLlons llsL CS1, CL1 (and someLlmes u1) for Lhe P11 meLhods under
whlch a securlLy consLralnL applles.
unforLunaLely, almosL all Lhe lmplemenLaLlons of Lhls mechanlsm work ln an unexpecLed and lnsecure
way. 8aLher Lhan denylng meLhods noL speclfled ln Lhe rule, Lhey allow any meLhod noL llsLed. lronlcally,
by llsLlng speclflc meLhods ln Lhelr rule, developers are acLually allowlng more access Lhan Lhey
lnLended.
We can manlpulaLe Lhe P11 verb Lo aLLempL Lo bypass or clrcumvenL such securlLy conLrols. 1he use of
Lhe PLAu meLhod ls Lhe slmplesL case. 1he aLLacker can also Lry any one of Lhe oLher valld P11 verbs,
lncludlng 18ACL, 18ACk, u1, uLLL1L, and many more. ALLackers can also Lry sendlng arblLrary sLrlngs,
such as !Lll," as Lhe P11 verb.

2 2
An appllcaLlon ls vulnerable Lo v8AAC bypass lf Lhe followlng condlLlons hold:
1) lL uses a securlLy conLrol LhaL llsLs P11 verbs,
2) Lhe securlLy conLrol falls Lo block verbs LhaL are noL llsLed, and
3) lL has CL1 funcLlonallLy LhaL ls noL ldempoLenL or wlll execuLe wlLh an arblLrary P11 verb
All Lhree of Lhese condlLlons are qulLe common. uependlng on Lhe producL and rule enforcemenL, P11
verb Lamperlng could be used Lo geL around Lhe proLecLlons provlded by any of Lhe followlng securlLy
componenLs:
Web appllcaLlon flrewalls
ConLalner-level u8L auLhenLlcaLlon/auLhorlzaLlon
AppllcaLlon-layer u8L auLhenLlcaLlon/auLhorlzaLlon
Cbvlously, noL every producL could be analyzed ln depLh. 1esLlng your envlronmenL for suscepLlblllLy Lo
v8AAC bypass wlLh P11 verb Lamperlng ls hlghly recommended.
Bypassing VBAAC witb HEAD
1he P11 speclflcaLlon, 8lC 2616 [1], speclfles LhaL PLAu requesLs should produce Lhe same resulLs as a
CL1 requesL buL wlLh no response body. 1hls means LhaL lf an aLLacker can use PLAu Lo bypass many
v8AAC securlLy mechanlsms and execuLe proLecLed funcLlons. lf CL1 requesLs were acLually ldempoLenL
as envlsloned ln Lhe 8lC, Lhls would noL be a problem, buL many frameworks and appllcaLlons LreaL CL1
and CS1 ldenLlcally.
lmaglne a u8L ln your appllcaLlon LhaL ls proLecLed by a securlLy consLralnL LhaL resLrlcLs access Lo Lhe
admln" dlrecLory and llsLs CL1 and CS1.
http://yourcompany.com/admin/admin.jsp?fn=deleteUser

lf an aLLacker Lrles Lo force browse Lo Lhe u8L ln a normal browser, Lhe securlLy consLralnL wlll check Lo
see lf Lhe requesL ls allowed. 1haL rule wlll check Lo see lf Lhe P11 verb ln Lhe aLLacker's requesL ls one
of Lhe P11 meLhods llsLed. Slnce Lhe requesL came from a browser, lL probably uses CL1 or CS1 and
wlll be sLopped by Lhe securlLy consLralnL.
Powever, lf Lhe aLLacker uses an P11 proxy llke CWAS WebScarab [2] Lo send Lhe requesL uslng Lhe
PLAu meLhod, Lhe rule wlll noL apply and Lhe requesL wlll noL be blocked. 1he appllcaLlon wlll dlrecL Lhls
requesL Lo Lhe CL1 handler, Lhe deleLeuser funcLlon wlll be successfully lnvoked, and Lhe aLLacker wlll
geL an empLy response back ln Lhe browser.
lf Lhe CL1 meLhod were ldempoLenL, as recommended ln Lhe 8lC, Lhen belng able Lo lnvoke lL wlLh a
PLAu requesL would noL be a problem, slnce Lhe sLaLe of Lhe server would noL be changed and Lhe body

3 3
of Lhe response ls removed, Lhus ellmlnaLlng any posslblllLy of lnLegrlLy or confldenLlallLy lssues,
respecLlvely. Powever, many web appllcaLlons on Lhe lnLerneL Loday do noL follow Lhls
recommendaLlon, and a CL1 requesL can be used Lo lnvoke many slgnlflcanL funcLlons and LransacLlons.
Bypassing VBAAC witb Arbitrary HTTP Verbs
Some web plaLforms, lncludlng boLh !ava LL and P, allow Lhe use of arblLrary P11 verbs. 1hese
requesLs execuLe slmllarly Lo CL1 requesLs, maklng lL posslble for aLLackers Lo use Lhese verbs Lo bypass
flawed v8AAC lmplemenLaLlons. Lven worse, Lhe response ls noL sLrlpped off as lL ls for PLAu requesLs,
so Lhe aLLacker can see Lhe unauLhorlzed pages as lf Lhere were no proLecLlon.
lf we use Lhe !Lll" meLhod lnsLead of PLAu" ln Lhe example descrlbed ln Lhe prevlous secLlon, Lhe
requesL wlll bypass Lhe securlLy consLralnL because lL ls noL one of Lhe llsLed meLhods (slmllar Lo PLAu).
8ecause Lhe requesL LargeLs a !S, Lhe servlce meLhod of Lhe !S wlll be execuLed and run as normal.
8ecause Lhe meLhod ln Lhe aLLacker's requesL ls noL one of Lhe recognlzed meLhods, Lhe servers defaulL
Lo processlng Lhe requesL as lf lL were a CL1. 1hls means LhaL Lhe full response ls reLurned and Lhe
aLLacker wlll see Lhe resulLs of Lhe admln.[sp page. A securlLy proxy llke WebScarab could easlly be
programmed Lo replace Lhe acLual meLhod wlLh !Lll" Lo faclllLaLe browslng Lhese pages as normal.
Many cusLom appllcaLlon endpolnLs wlll requlre sLaLe lnformaLlon ln order Lo handle a requesL, such as
lnformaLlon from a sesslon. Clven LhaL Lhe aLLacker ls noL auLhorlzed Lo access Lhe endpolnL, lL ls
posslble LhaL Lhe proper lnformaLlon wlll be ln Lhe sesslon and Lhe acLlon wlll fall. 1hls should noL be
consldered a defense agalnsL Lhls aLLack, only a forLunaLe clrcumsLance.
We ldenLlfled a few server/language comblnaLlons LhaL allow v8AAC bypass wlLh arblLrary P11 verbs.
1hls should noL be consldered an exhausLlve llsL as we have noL LesLed a wlde varleLy of plaLforms.
Apache 2.2.6/P
1omcaL, WebSphere, and WebLoglc when requesLlng a !S (noL a servleL)
osslbly oLhers.?
!Ss behave Lhls way because Lhelr conLenL ls placed lnLo a generlc servlce" meLhod by Lhe !S
compller. unllke an PLLpServleL, Lhe !S servlce meLhod ls called for all P11 meLhods. 1he PLLpServleL
servlce meLhod delegaLes Lo speclflc handlers, such as doCeL() and doosL(), and Lhrows an excepLlon lf
an unknown P11 meLhod ls recelved. 1herefore, Lhe use of lnvalld P11 meLhods does noL work wlLh
servleLs, and Lhe aLLacker has Lo use PLAu requesLs, whlch do noL reLurn Lhe response body.
noLe LhaL whlle servleLs are vulnerable Lo PLAu requesLs, Lhey are noL vulnerable Lo arblLrary P11
verbs, as Lhey lmplemenL speclflc meLhods for each meLhod, and reLurn an error lf an unsupporLed
meLhod ls lnvoked.

4 4
Vendor Specifics
1he followlng llsL shows LhaL mosL ma[or web and appllcaLlon servers accepL PLAu by defaulL, and
sllenLly Lransfer all PLAu requesLs Lo Lhe CL1 handler. 1he 8lC essenLlally dlcLaLes LhaL Lhe PLAu
meLhod should be processed by Lhe CL1 handler slnce Lhe headers recelved from PLAu musL maLch
Lhose from CL1. 1herefore, Lo have guaranLeed accuracy of Lhose headers, Lhe CL1 musL be execuLed ln
normal fashlon.
llS 6.0
WebSphere 6.1
WebLoglc 8.2
!8oss 4.2.2
1omcaL 6.0
Apache 2.2.8
Agaln, Lhls should noL be Lerrlbly surprlslng as lL ls a requlremenL ln Lhe 8lC. now LhaL we know Lhe
servers accepL PLAu, we wlll analyze some of Lhe more popular ouL-of-appllcaLlon securlLy mechanlsms
Lo see lf Lhey are suscepLlble Lo v8AAC bypass.
1he followlng Lable dlsplays some popular web securlLy mechanlsms and how Lhey are affecLed by verb
Lamperlng Lechnlques.

SecurlLy ConLrol
Allow P11
verbs ln
ollcy
PLAu Can 8e
ln ollcy
ollcy
8ypassable?
All !ava LL (web.xml) ?es ?es ?es
AS.nL1 AuLhz ?es ?es ?es (lf noL uslng deny all)
SlLeMlnder ?es ?es no (posslbly lf defaulL resource
proLecLlon = unproLecLed)
.hLaccess ?es ?es ?es (lf noL uslng <LlmlLLxcepL>)
)ava EE Containers
Conslder Lhe followlng, naive web.xml <securlLy-consLralnL> pollcy whlch ls acLually shlpped ln 1omcat
S.S.20 ln Lhe example on how Lo proLecL" a subseL of u8Ls:


3 3
<display-name>Example Security Constraint</display-name>
<web-resource-name>Protected Area</web-resource-name>

<url-pattern>/security/protected/*</url-pattern>

<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
...

1he commenL above Lhe P11 meLhod enumeraLlon says lL all: lf you llsL P11 meLhods, only Lhose
meLhods wlll be proLecLed. 1herefore, Lhls rule wlll only flre lf a requesL for anyLhlng ln Lhe
/securlLy/proLecLed dlrecLory uses a verb ln Lhe <hLLp-meLhod> llsL. 1hls loglc ls unforLunaLely as
common as lL ls backwards, as can be seen from a slmple Coogle Code Search for <hLLp-meLhod> [3].
1he rlghL way Lo lmplemenL Lhls conLrol would be Lo block any verbs LhaL are noL llsLed. Powever, LhaL ls
noL Lhe way Lhese mechanlsms currenLly behave, and we can see ln Lhe snlppeL LhaL PLAu ls noL ln Lhls
llsL. 1herefore, lssulng an P11 PLAu requesL wlll bypass Lhe <securlLy-consLralnL> enLlrely, and Lhe
appllcaLlon server wlll pass Lhe requesL Lo Lhe CL1 handler.
1he besL approach Lo securlng !ava LL appllcaLlons ls Lo remove all Lhe <hLLp-meLhod> elemenLs from
securlLy consLralnLs ln web.xml. 1hls wlll slmply make Lhe consLralnLs apply Lo all requesLs. Powever, lf
you absoluLely musL resLrlcL access Lo a slngle meLhod, Lhere ls a way Lo use web.xml Lo enforce Lhls, buL
you have Lo seL up Lwo securlLy consLralnLs. ln Lhe example below, Lhe Lop consLralnL applles Lhe
consLralnL Lo CL1 requesLs, and Lhe second consLralnL blocks anyLhlng else.
<web-resource-name>site</web-resource-name>
<url-pattern>/*</url-pattern>
...

<web-resource-name>site</web-resource-name>
<url-pattern>/*</url-pattern>
...

6 6
ASP.NET Autborization
1he bullL-ln AS.NL1 author|zat|on [3] mechanlsm can be conflgured ln a way LhaL ls vulnerable Lo
v8AAC bypass. Pere ls an example rule from MSun:
<authorization>
<allow verbs="GET" users="*"/>
<allow verbs="POST" users="Kim"/>
<deny verbs="POST" users="*"/>
</authorization>

1he lnLenLlon of Lhls rule ls Lo allow only Lhe klm" user Lo submlL CS1 requesLs. 1hls example ls noL
vulnerable Lo bypass because CL1 requesLs are allowed Lo everyone anyway, so Lhere ls no securlLy Lo
bypass by uslng PLAu. Powever, conslder Lhe followlng auLhorlzaLlon pollcy:
<authorization>
<allow verbs="GET" users="Admin"/>
<deny verbs=POST,GET users=* />
</authorization>

1hls pollcy would be vulnerable Lo v8AAC bypass slnce PLAu could be senL ln whlch would bypass Lhe
auLhorlzaLlon check and resulL ln a sllenL forward Lo Lhe CL1 handler.
1hls happens because .nL1 lmpllclLly lnserLs an allow all" rule lnLo each auLhorlzaLlon. 1herefore a .nL1
developer musL, afLer llsLlng Lhelr role enLlLlemenLs approprlaLely, append a deny all" rule.
<authorization>
<allow verbs="GET" users="Admin"/>
<deny verbs=* users=* />
</authorization>

1hls wlll ensure LhaL Lhe only requesLs LhaL pass Lhe auLhorlzaLlon check are Lhose LhaL have speclfled an
P11 verb LhaL ls ln Lhe auLhorlzaLlon rule.
SiteMinder
S|teM|nder [4] appears Lo proLecL agalnsL v8AAC ln mosL conflguraLlons. lnvalld meLhods appear Lo be
dlscarded and rules LhaL llsL verbs seem Lo approprlaLely llmlL requesLs Lo only Lhe llsLed verbs.

7 7
1here are sLlll a few scenarlos LhaL we have noL been able Lo LesL compleLely. 1hese are relaLed Lo
realms LhaL have Lhe uefaulL 8esource roLecLlon opLlon seL Lo unproLecLed" as shown below. When
Lhese realms are nesLed wlLh proLecLed realms, lL may be posslble Lo bypass proLecLlons wlLh an unllsLed
P11 meLhod.

(lmoqe tokeo ftom soppott.beo.com)
Furtber HTTP Metbod Confusion
1here were a few oLher lnsecure behavlors noLlced when dolng Lhe research for Lhls aLLack. 1hese qulrks
add up Lo make v8AAC bypasslng more prevalenL and easler Lo perform ln some cases, buL should be
vlewed as sllghLly separaLe from Lhe aLLack ln general.
Application Endpoints Don't Consider HTTP Metbod
AlLhough developers may speclfy meLhods ln Lhelr P1ML <form> Lags, many appllcaLlons endpolnLs
don'L dlfferenLlaLe beLween CL1 and CS1 requesLs when acLlng on requesL daLa.
1echnology P11 uaLa
!ava/!S requesL.geLarameLer()
SLruLs form8ean.geLvalue()

8 8
P $_8LCuLS1['value']
yLhon requesL['foo']

All of Lhese parameLer reLrleval Lechnlques geL daLa regardless of wheLher lL comes from Lhe querysLrlng
or Lhe P11 requesL body. So, alLhough an endpolnL may be lnLended Lo only recelve CS1 requesLs, lL ls
sLlll qulLe posslble Lhe appllcaLlon wlll reLrleve daLa from Lhe querysLrlng.
Defensive Measures to Prevent VBAAC Bypass Vulnerabilities
1here are a few Lhlngs an organlzaLlon can do Lo prevenL v8AAC bypass vulnerablllLles.
1. 8e sure Lo enable Lhe deny all" opLlon ln your v8AAC mechanlsm
2. 8emove P11 meLhod resLrlcLlons from access conLrol and auLhorlzaLlon rules. All meLhods
should be proLecLed and Lhey should noL have Lo be llsLed durlng rule creaLlon. lor example, ln
!ava LL, remove all <hLLp-meLhod> elemenLs from web.xml flles. 1hls ls unllkely Lo break
funcLlonallLy and only lncreases securlLy.
3. Conflgure your web and appllcaLlon server Lo dlsallow PLAu requesLs enLlrely.
4. Make sure all funcLlonallLy accesslble Lhrough CL1 ls ldempoLenL ln accordance wlLh Lhe
speclflcaLlon.
3. ln !ava LL, never serve !Ss dlrecLly. lnsLead, puL all of your !S flles ln WL8-lnl, and use a
conLroller LhaL uses 8equesLulspaLcher.forward() Lo send a requesL Lo a !S flle. 1here are a
number of reasons why dlrecL access Lo !Ss ls a bad ldea, and Lhls ls [usL anoLher reason.
6. lf posslble, developers should always lnvoke Lhe parameLers from Lhe scope LhaL Lhey are
expecLed Lo be ln, and noL from a dlcLlonary collecLlon of requesL lnformaLlon.
About Aspect Security
AspecL SecurlLy ls Lhe leadlng provlder of appllcaLlon securlLy rlsk managemenL servlces. Mllllons of llnes
of crlLlcal appllcaLlon code are verlfled each monLh by AspecL's experlenced peneLraLlon LesLlng and
code revlew speclallsLs. AspecL Leaches advanced hands-on securlLy courses Lo Lhousands of archlLecLs,
developers, and managers each year. CrganlzaLlons wlLh crlLlcal appllcaLlons have galned conLrol by
lmplemenLlng AspecL's Secure uevelopmenL Llfecycle (SuL) program. AspecL ls headquarLered ln
Columbla Mu. lor lnformaLlon, vlslL www.aspecLsecurlLy.com or call 301-604-4882.


9 9
About tbe Autbor
Arshan uablrslaghl ls Lhe ulrecLor of 8esearch aL AspecL SecurlLy, where ln addlLlon Lo hls normal
peneLraLlon LesLlng and code revlew responslblllLles, he spends hls Llme researchlng Web 2.0 securlLy
and nexL generaLlon aLLacks and defenses. Arshan ls also Lhe founder and lead auLhor of Lhe CWAS
AnLlSamy pro[ecL. Pe has dellvered LuLorlals aL 8lackhaL and CWAS, and has been a feaLured speaker aL
boLh securlLy and arLlflclal lnLelllgence conferences.

References
[1] - PyperLexL 1ransfer roLocol - P11/1.1
hLLp://www.faqs.org/rfcs/rfc2616.hLml
[2] - CWAS WebScarab ro[ecL
hLLp://www.owasp.org/lndex.php/CaLegory:CWAS_WebScarab_ro[ecL
[3] - AS.nL1 AuLhorlzaLlon (u8L-based)
hLLp://msdn.mlcrosofL.com/en-us/llbrary/wce3kxhd(vS.80).aspx
[4] - CA SlLeMlnder Web Access Manager
hLLp://ca.com/us/lnLerneL-access-conLrol.aspx
[3] - Coogle Code Search for <hLLp-meLhod>"
hLLp://google.com/codesearch?hl=en&q=+3ChLLp-meLhod3L&sLarL=10&sa=n

Bypassing VBAAC With HTTP Verb Tampering

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bypassing VBAAC With HTTP Verb Tampering

Uploaded by

Copyright:

Available Formats

WhlLe aper - 8ypasslng v8AAC wlLh P11 verb 1amperlng

AspecL SecurlLy | www.aspecLsecurlLy.com

You might also like