Saturday, 2 July 2011

Testing for HTTP Methods and XST (OWASP-CM-008)

When Testing for HTTP Methods and XST a common vulnerability to find is XST. When you manually verify that this vulnerability is truly present (i.e. not a tool false positive) you can use tools like netcat but sometimes the web server is using SSL and netcat will not work straightaway. You can get around this using stunnel but I thought there had to be an easier way.

So, you do not need to set up a tunnel just for this ... just use curl!

Example not vulnerable server:

# curl -i -A 'Mozilla/5.0' -X 'TRACE /' -k https://www.not-vulnerable.com
HTTP/1.1 403 Forbidden
Date: Sat, 04 Jun 2011 06:46:21 GMT
Server: Apache
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.</p>
</body></html>

Example of a vulnerable server:

# curl -i -A 'Mozilla/5.0' -X 'TRACE /' -k https://www.vulnerable.com
HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 06:34:51 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / / HTTP/1.1
User-Agent: Mozilla/5.0
Host: www.vulnerable.com
Accept: */*

On the curl switches:

"-A" - because sometimes the curl user agent may be blocked, you can set a normal looking one using this so that your probe goes through
"-i" - so that the request headers are displayed
"-X" - so that you can specify the verb (TRACE instead of the more common GET or POST)
"-k" - sometimes you might test this on an internal testing server that does not have a valid cert, at this point you do not care about the cert because you are testing for XST.

Other things with curl:

Testing for OPTIONS:

curl -i -A 'Mozilla/5.0' -X 'OPTIONS *' https://my.server.com
HTTP/1.1 200 OK
Date: Sat, 04 Jun 2011 07:27:20 GMT
Server: Apache
Content-Length: 0
Connection: close
Content-Type: text/plain

Testing for DEBUG might give you the OPTIONS sometimes (and also tell you if DEBUG is enabled or not):

curl -i -A 'Mozilla/5.0' -X 'DEBUG /test' -H 'Command: start-debug' https://my.server.com
HTTP/1.1 501 Method Not Implemented
Date: Sat, 04 Jun 2011 07:29:11 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 211
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>DEBUG to /test not supported.<br />
</p>
</body></html>

Some references: