Monday, April 2, 2018

Tampering HTTP methods to bypass HTTP Basic Authentication


- Layout for this exercise:

- HTTP method tampering is a vulnerability suffered by some misconfigured web servers, what can be used to bypass authentication of a directory.

- HTTP method vulnerabities happen if:

   i) it is possible to list the HTTP methods allowed by an application.
   ii) the security controls fail to block not allowed methods.
   iii) the method GET is executed by default.

- In the example used to illustrate this case it is applied HTTP Basic Authentication on the "test" folder, while the hidden file .htpasswd stores usernames and passwords:

- It is important to notice that the "valid-user" requirement for authentication is limited just to the POST method. 

This is a clear misconfiguration, because it means that any other method different to POST would be allowed to access the web page without any authentication.

- After configurating the former authentication schema for /test, let's restart the web server:

- The Linux tool curl (transfers data from or to a server), used in combination with the HTTP request method OPTIONS (lists the methods supported by the URLhelps to check what are the methods enabled for the directory /test:

- POST responds with the 401 Unauthorized standard answer because for this method it is required authentication (Require valid-user):

- However, the HEAD method responses with the standard 200 OK successful answer:

- Also, the GET method responses with the standard answer 200 OK for successful authentication. In comparison to HEAD, the GET method supplies the whole content of the web resource:

 -  Now, just writing the URL and clicking on the browser simulates the GET method. The consequence is that the authentication defined in the Virtual Host configuration is tampered (GET method does not require "valid-user" authentication), and the resource is available for every user:

- This type of vulnerability is not very usual nowadays. However, some legacy servers in large organizations might be vulnerable in case they are misconfigured according to the described way in this post.