This document discusses how web application authentication and authorization (VBAAC) mechanisms that rely on HTTP verb validation can be bypassed by tampering with the HTTP verb. Many implementations allow any verb not listed in security rules, rather than denying unlisted verbs. Attackers can use alternative verbs like HEAD or arbitrary strings to circumvent rules meant to restrict access based on verbs like GET and POST. The document provides examples of how this could allow unauthorized access and outlines testing to see if implementations are susceptible. It finds that popular web servers, application servers, and security controls typically accept HEAD requests and transfer them to the GET handler, enabling potential bypass of verb-based access controls.
This document discusses how web application authentication and authorization (VBAAC) mechanisms that rely on HTTP verb validation can be bypassed by tampering with the HTTP verb. Many implementations allow any verb not listed in security rules, rather than denying unlisted verbs. Attackers can use alternative verbs like HEAD or arbitrary strings to circumvent rules meant to restrict access based on verbs like GET and POST. The document provides examples of how this could allow unauthorized access and outlines testing to see if implementations are susceptible. It finds that popular web servers, application servers, and security controls typically accept HEAD requests and transfer them to the GET handler, enabling potential bypass of verb-based access controls.
This document discusses how web application authentication and authorization (VBAAC) mechanisms that rely on HTTP verb validation can be bypassed by tampering with the HTTP verb. Many implementations allow any verb not listed in security rules, rather than denying unlisted verbs. Attackers can use alternative verbs like HEAD or arbitrary strings to circumvent rules meant to restrict access based on verbs like GET and POST. The document provides examples of how this could allow unauthorized access and outlines testing to see if implementations are susceptible. It finds that popular web servers, application servers, and security controls typically accept HEAD requests and transfer them to the GET handler, enabling potential bypass of verb-based access controls.
1 1 Bypassing Web Authentication anu Authoiization with BTTP veib Tampeiing: Bow to inauveitently allow attackeis full access to youi web application Arshan uablrslaghl, ulrecLor of 8esearch, AspecL SecurlLy arshan.dablrslaghl[aspecLsecurlLy.com Introduction Many web envlronmenLs allow verb-based auLhenLlcaLlon and access conLrol (v8AAC). 1he rules for Lhese securlLy conLrols lnvolve uslng Lhe P11 verb (also called meLhod), such as CL1 or CS1, as parL of a securlLy declslon. lor example, Lhe !ava LL web.xml flle can speclfy a securlLy consLralnL as follows: <security-constraint> <web-resource-collection> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
1hls rule llmlLs access Lo Lhe /admln dlrecLory Lo users wlLh Lhe admln" role. Many LuLorlals and publlc examples of secure conflguraLlons llsL CS1, CL1 (and someLlmes u1) for Lhe P11 meLhods under whlch a securlLy consLralnL applles. unforLunaLely, almosL all Lhe lmplemenLaLlons of Lhls mechanlsm work ln an unexpecLed and lnsecure way. 8aLher Lhan denylng meLhods noL speclfled ln Lhe rule, Lhey allow any meLhod noL llsLed. lronlcally, by llsLlng speclflc meLhods ln Lhelr rule, developers are acLually allowlng more access Lhan Lhey lnLended. We can manlpulaLe Lhe P11 verb Lo aLLempL Lo bypass or clrcumvenL such securlLy conLrols. 1he use of Lhe PLAu meLhod ls Lhe slmplesL case. 1he aLLacker can also Lry any one of Lhe oLher valld P11 verbs, lncludlng 18ACL, 18ACk, u1, uLLL1L, and many more. ALLackers can also Lry sendlng arblLrary sLrlngs, such as !Lll," as Lhe P11 verb. WhlLe aper - 8ypasslng v8AAC wlLh P11 verb 1amperlng
AspecL SecurlLy | www.aspecLsecurlLy.com 2 2 An appllcaLlon ls vulnerable Lo v8AAC bypass lf Lhe followlng condlLlons hold: 1) lL uses a securlLy conLrol LhaL llsLs P11 verbs, 2) Lhe securlLy conLrol falls Lo block verbs LhaL are noL llsLed, and 3) lL has CL1 funcLlonallLy LhaL ls noL ldempoLenL or wlll execuLe wlLh an arblLrary P11 verb All Lhree of Lhese condlLlons are qulLe common. uependlng on Lhe producL and rule enforcemenL, P11 verb Lamperlng could be used Lo geL around Lhe proLecLlons provlded by any of Lhe followlng securlLy componenLs: Web appllcaLlon flrewalls ConLalner-level u8L auLhenLlcaLlon/auLhorlzaLlon AppllcaLlon-layer u8L auLhenLlcaLlon/auLhorlzaLlon Cbvlously, noL every producL could be analyzed ln depLh. 1esLlng your envlronmenL for suscepLlblllLy Lo v8AAC bypass wlLh P11 verb Lamperlng ls hlghly recommended. Bypassing VBAAC witb HEAD 1he P11 speclflcaLlon, 8lC 2616 [1], speclfles LhaL PLAu requesLs should produce Lhe same resulLs as a CL1 requesL buL wlLh no response body. 1hls means LhaL lf an aLLacker can use PLAu Lo bypass many v8AAC securlLy mechanlsms and execuLe proLecLed funcLlons. lf CL1 requesLs were acLually ldempoLenL as envlsloned ln Lhe 8lC, Lhls would noL be a problem, buL many frameworks and appllcaLlons LreaL CL1 and CS1 ldenLlcally. lmaglne a u8L ln your appllcaLlon LhaL ls proLecLed by a securlLy consLralnL LhaL resLrlcLs access Lo Lhe admln" dlrecLory and llsLs CL1 and CS1. http://yourcompany.com/admin/admin.jsp?fn=deleteUser
lf an aLLacker Lrles Lo force browse Lo Lhe u8L ln a normal browser, Lhe securlLy consLralnL wlll check Lo see lf Lhe requesL ls allowed. 1haL rule wlll check Lo see lf Lhe P11 verb ln Lhe aLLacker's requesL ls one of Lhe P11 meLhods llsLed. Slnce Lhe requesL came from a browser, lL probably uses CL1 or CS1 and wlll be sLopped by Lhe securlLy consLralnL. Powever, lf Lhe aLLacker uses an P11 proxy llke CWAS WebScarab [2] Lo send Lhe requesL uslng Lhe PLAu meLhod, Lhe rule wlll noL apply and Lhe requesL wlll noL be blocked. 1he appllcaLlon wlll dlrecL Lhls requesL Lo Lhe CL1 handler, Lhe deleLeuser funcLlon wlll be successfully lnvoked, and Lhe aLLacker wlll geL an empLy response back ln Lhe browser. lf Lhe CL1 meLhod were ldempoLenL, as recommended ln Lhe 8lC, Lhen belng able Lo lnvoke lL wlLh a PLAu requesL would noL be a problem, slnce Lhe sLaLe of Lhe server would noL be changed and Lhe body WhlLe aper - 8ypasslng v8AAC wlLh P11 verb 1amperlng
AspecL SecurlLy | www.aspecLsecurlLy.com 3 3 of Lhe response ls removed, Lhus ellmlnaLlng any posslblllLy of lnLegrlLy or confldenLlallLy lssues, respecLlvely. Powever, many web appllcaLlons on Lhe lnLerneL Loday do noL follow Lhls recommendaLlon, and a CL1 requesL can be used Lo lnvoke many slgnlflcanL funcLlons and LransacLlons. Bypassing VBAAC witb Arbitrary HTTP Verbs Some web plaLforms, lncludlng boLh !ava LL and P, allow Lhe use of arblLrary P11 verbs. 1hese requesLs execuLe slmllarly Lo CL1 requesLs, maklng lL posslble for aLLackers Lo use Lhese verbs Lo bypass flawed v8AAC lmplemenLaLlons. Lven worse, Lhe response ls noL sLrlpped off as lL ls for PLAu requesLs, so Lhe aLLacker can see Lhe unauLhorlzed pages as lf Lhere were no proLecLlon. lf we use Lhe !Lll" meLhod lnsLead of PLAu" ln Lhe example descrlbed ln Lhe prevlous secLlon, Lhe requesL wlll bypass Lhe securlLy consLralnL because lL ls noL one of Lhe llsLed meLhods (slmllar Lo PLAu). 8ecause Lhe requesL LargeLs a !S, Lhe servlce meLhod of Lhe !S wlll be execuLed and run as normal. 8ecause Lhe meLhod ln Lhe aLLacker's requesL ls noL one of Lhe recognlzed meLhods, Lhe servers defaulL Lo processlng Lhe requesL as lf lL were a CL1. 1hls means LhaL Lhe full response ls reLurned and Lhe aLLacker wlll see Lhe resulLs of Lhe admln.[sp page. A securlLy proxy llke WebScarab could easlly be programmed Lo replace Lhe acLual meLhod wlLh !Lll" Lo faclllLaLe browslng Lhese pages as normal. Many cusLom appllcaLlon endpolnLs wlll requlre sLaLe lnformaLlon ln order Lo handle a requesL, such as lnformaLlon from a sesslon. Clven LhaL Lhe aLLacker ls noL auLhorlzed Lo access Lhe endpolnL, lL ls posslble LhaL Lhe proper lnformaLlon wlll be ln Lhe sesslon and Lhe acLlon wlll fall. 1hls should noL be consldered a defense agalnsL Lhls aLLack, only a forLunaLe clrcumsLance. We ldenLlfled a few server/language comblnaLlons LhaL allow v8AAC bypass wlLh arblLrary P11 verbs. 1hls should noL be consldered an exhausLlve llsL as we have noL LesLed a wlde varleLy of plaLforms. Apache 2.2.6/P 1omcaL, WebSphere, and WebLoglc when requesLlng a !S (noL a servleL) osslbly oLhers.? !Ss behave Lhls way because Lhelr conLenL ls placed lnLo a generlc servlce" meLhod by Lhe !S compller. unllke an PLLpServleL, Lhe !S servlce meLhod ls called for all P11 meLhods. 1he PLLpServleL servlce meLhod delegaLes Lo speclflc handlers, such as doCeL() and doosL(), and Lhrows an excepLlon lf an unknown P11 meLhod ls recelved. 1herefore, Lhe use of lnvalld P11 meLhods does noL work wlLh servleLs, and Lhe aLLacker has Lo use PLAu requesLs, whlch do noL reLurn Lhe response body. noLe LhaL whlle servleLs are vulnerable Lo PLAu requesLs, Lhey are noL vulnerable Lo arblLrary P11 verbs, as Lhey lmplemenL speclflc meLhods for each meLhod, and reLurn an error lf an unsupporLed meLhod ls lnvoked. WhlLe aper - 8ypasslng v8AAC wlLh P11 verb 1amperlng
AspecL SecurlLy | www.aspecLsecurlLy.com 4 4 Vendor Specifics 1he followlng llsL shows LhaL mosL ma[or web and appllcaLlon servers accepL PLAu by defaulL, and sllenLly Lransfer all PLAu requesLs Lo Lhe CL1 handler. 1he 8lC essenLlally dlcLaLes LhaL Lhe PLAu meLhod should be processed by Lhe CL1 handler slnce Lhe headers recelved from PLAu musL maLch Lhose from CL1. 1herefore, Lo have guaranLeed accuracy of Lhose headers, Lhe CL1 musL be execuLed ln normal fashlon. llS 6.0 WebSphere 6.1 WebLoglc 8.2 !8oss 4.2.2 1omcaL 6.0 Apache 2.2.8 Agaln, Lhls should noL be Lerrlbly surprlslng as lL ls a requlremenL ln Lhe 8lC. now LhaL we know Lhe servers accepL PLAu, we wlll analyze some of Lhe more popular ouL-of-appllcaLlon securlLy mechanlsms Lo see lf Lhey are suscepLlble Lo v8AAC bypass. 1he followlng Lable dlsplays some popular web securlLy mechanlsms and how Lhey are affecLed by verb Lamperlng Lechnlques.
SecurlLy ConLrol Allow P11 verbs ln ollcy PLAu Can 8e ln ollcy ollcy 8ypassable? All !ava LL (web.xml) ?es ?es ?es AS.nL1 AuLhz ?es ?es ?es (lf noL uslng deny all) SlLeMlnder ?es ?es no (posslbly lf defaulL resource proLecLlon = unproLecLed) .hLaccess ?es ?es ?es (lf noL uslng <LlmlLLxcepL>) )ava EE Containers Conslder Lhe followlng, naive web.xml <securlLy-consLralnL> pollcy whlch ls acLually shlpped ln 1omcat S.S.20 ln Lhe example on how Lo proLecL" a subseL of u8Ls:
AspecL SecurlLy | www.aspecLsecurlLy.com 3 3 <security-constraint> <display-name>Example Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/security/protected/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> ... </security-constraint>
1he commenL above Lhe P11 meLhod enumeraLlon says lL all: lf you llsL P11 meLhods, only Lhose meLhods wlll be proLecLed. 1herefore, Lhls rule wlll only flre lf a requesL for anyLhlng ln Lhe /securlLy/proLecLed dlrecLory uses a verb ln Lhe <hLLp-meLhod> llsL. 1hls loglc ls unforLunaLely as common as lL ls backwards, as can be seen from a slmple Coogle Code Search for <hLLp-meLhod> [3]. 1he rlghL way Lo lmplemenL Lhls conLrol would be Lo block any verbs LhaL are noL llsLed. Powever, LhaL ls noL Lhe way Lhese mechanlsms currenLly behave, and we can see ln Lhe snlppeL LhaL PLAu ls noL ln Lhls llsL. 1herefore, lssulng an P11 PLAu requesL wlll bypass Lhe <securlLy-consLralnL> enLlrely, and Lhe appllcaLlon server wlll pass Lhe requesL Lo Lhe CL1 handler. 1he besL approach Lo securlng !ava LL appllcaLlons ls Lo remove all Lhe <hLLp-meLhod> elemenLs from securlLy consLralnLs ln web.xml. 1hls wlll slmply make Lhe consLralnLs apply Lo all requesLs. Powever, lf you absoluLely musL resLrlcL access Lo a slngle meLhod, Lhere ls a way Lo use web.xml Lo enforce Lhls, buL you have Lo seL up Lwo securlLy consLralnLs. ln Lhe example below, Lhe Lop consLralnL applles Lhe consLralnL Lo CL1 requesLs, and Lhe second consLralnL blocks anyLhlng else. <security-constraint> <web-resource-collection> <web-resource-name>site</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> ... </security-constraint>
AspecL SecurlLy | www.aspecLsecurlLy.com 6 6 ASP.NET Autborization 1he bullL-ln AS.NL1 author|zat|on [3] mechanlsm can be conflgured ln a way LhaL ls vulnerable Lo v8AAC bypass. Pere ls an example rule from MSun: <authorization> <allow verbs="GET" users="*"/> <allow verbs="POST" users="Kim"/> <deny verbs="POST" users="*"/> </authorization>
1he lnLenLlon of Lhls rule ls Lo allow only Lhe klm" user Lo submlL CS1 requesLs. 1hls example ls noL vulnerable Lo bypass because CL1 requesLs are allowed Lo everyone anyway, so Lhere ls no securlLy Lo bypass by uslng PLAu. Powever, conslder Lhe followlng auLhorlzaLlon pollcy: <authorization> <allow verbs="GET" users="Admin"/> <allow verbs="POST" users="Kim"/> <deny verbs=POST,GET users=* /> </authorization>
1hls pollcy would be vulnerable Lo v8AAC bypass slnce PLAu could be senL ln whlch would bypass Lhe auLhorlzaLlon check and resulL ln a sllenL forward Lo Lhe CL1 handler. 1hls happens because .nL1 lmpllclLly lnserLs an allow all" rule lnLo each auLhorlzaLlon. 1herefore a .nL1 developer musL, afLer llsLlng Lhelr role enLlLlemenLs approprlaLely, append a deny all" rule. <authorization> <allow verbs="GET" users="Admin"/> <allow verbs="POST" users="Kim"/> <deny verbs=* users=* /> </authorization>
1hls wlll ensure LhaL Lhe only requesLs LhaL pass Lhe auLhorlzaLlon check are Lhose LhaL have speclfled an P11 verb LhaL ls ln Lhe auLhorlzaLlon rule. SiteMinder S|teM|nder [4] appears Lo proLecL agalnsL v8AAC ln mosL conflguraLlons. lnvalld meLhods appear Lo be dlscarded and rules LhaL llsL verbs seem Lo approprlaLely llmlL requesLs Lo only Lhe llsLed verbs. WhlLe aper - 8ypasslng v8AAC wlLh P11 verb 1amperlng
AspecL SecurlLy | www.aspecLsecurlLy.com 7 7 1here are sLlll a few scenarlos LhaL we have noL been able Lo LesL compleLely. 1hese are relaLed Lo realms LhaL have Lhe uefaulL 8esource roLecLlon opLlon seL Lo unproLecLed" as shown below. When Lhese realms are nesLed wlLh proLecLed realms, lL may be posslble Lo bypass proLecLlons wlLh an unllsLed P11 meLhod.
(lmoqe tokeo ftom soppott.beo.com) Furtber HTTP Metbod Confusion 1here were a few oLher lnsecure behavlors noLlced when dolng Lhe research for Lhls aLLack. 1hese qulrks add up Lo make v8AAC bypasslng more prevalenL and easler Lo perform ln some cases, buL should be vlewed as sllghLly separaLe from Lhe aLLack ln general. Application Endpoints Don't Consider HTTP Metbod AlLhough developers may speclfy meLhods ln Lhelr P1ML <form> Lags, many appllcaLlons endpolnLs don'L dlfferenLlaLe beLween CL1 and CS1 requesLs when acLlng on requesL daLa. 1echnology P11 uaLa !ava/!S requesL.geLarameLer() SLruLs form8ean.geLvalue() WhlLe aper - 8ypasslng v8AAC wlLh P11 verb 1amperlng
AspecL SecurlLy | www.aspecLsecurlLy.com 8 8 P $_8LCuLS1['value'] yLhon requesL['foo']
All of Lhese parameLer reLrleval Lechnlques geL daLa regardless of wheLher lL comes from Lhe querysLrlng or Lhe P11 requesL body. So, alLhough an endpolnL may be lnLended Lo only recelve CS1 requesLs, lL ls sLlll qulLe posslble Lhe appllcaLlon wlll reLrleve daLa from Lhe querysLrlng. Defensive Measures to Prevent VBAAC Bypass Vulnerabilities 1here are a few Lhlngs an organlzaLlon can do Lo prevenL v8AAC bypass vulnerablllLles. 1. 8e sure Lo enable Lhe deny all" opLlon ln your v8AAC mechanlsm 2. 8emove P11 meLhod resLrlcLlons from access conLrol and auLhorlzaLlon rules. All meLhods should be proLecLed and Lhey should noL have Lo be llsLed durlng rule creaLlon. lor example, ln !ava LL, remove all <hLLp-meLhod> elemenLs from web.xml flles. 1hls ls unllkely Lo break funcLlonallLy and only lncreases securlLy. 3. Conflgure your web and appllcaLlon server Lo dlsallow PLAu requesLs enLlrely. 4. Make sure all funcLlonallLy accesslble Lhrough CL1 ls ldempoLenL ln accordance wlLh Lhe speclflcaLlon. 3. ln !ava LL, never serve !Ss dlrecLly. lnsLead, puL all of your !S flles ln WL8-lnl, and use a conLroller LhaL uses 8equesLulspaLcher.forward() Lo send a requesL Lo a !S flle. 1here are a number of reasons why dlrecL access Lo !Ss ls a bad ldea, and Lhls ls [usL anoLher reason. 6. lf posslble, developers should always lnvoke Lhe parameLers from Lhe scope LhaL Lhey are expecLed Lo be ln, and noL from a dlcLlonary collecLlon of requesL lnformaLlon. About Aspect Security AspecL SecurlLy ls Lhe leadlng provlder of appllcaLlon securlLy rlsk managemenL servlces. Mllllons of llnes of crlLlcal appllcaLlon code are verlfled each monLh by AspecL's experlenced peneLraLlon LesLlng and code revlew speclallsLs. AspecL Leaches advanced hands-on securlLy courses Lo Lhousands of archlLecLs, developers, and managers each year. CrganlzaLlons wlLh crlLlcal appllcaLlons have galned conLrol by lmplemenLlng AspecL's Secure uevelopmenL Llfecycle (SuL) program. AspecL ls headquarLered ln Columbla Mu. lor lnformaLlon, vlslL www.aspecLsecurlLy.com or call 301-604-4882.
AspecL SecurlLy | www.aspecLsecurlLy.com 9 9 About tbe Autbor Arshan uablrslaghl ls Lhe ulrecLor of 8esearch aL AspecL SecurlLy, where ln addlLlon Lo hls normal peneLraLlon LesLlng and code revlew responslblllLles, he spends hls Llme researchlng Web 2.0 securlLy and nexL generaLlon aLLacks and defenses. Arshan ls also Lhe founder and lead auLhor of Lhe CWAS AnLlSamy pro[ecL. Pe has dellvered LuLorlals aL 8lackhaL and CWAS, and has been a feaLured speaker aL boLh securlLy and arLlflclal lnLelllgence conferences.