ku-suke / skipfish

Automatically exported from code.google.com/p/skipfish
Apache License 2.0
0 stars 0 forks source link

Why "PUT Request Accepted" is a high risk(red) issue? #82

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I am trying to understand the scan finding and need some help to explain it.

Thanks.

Original issue reported on code.google.com by jli...@gmail.com on 20 Jul 2010 at 7:00

GoogleCodeExporter commented 9 years ago
In a vast majority of casts, PUT allows content to be published on the site, 
and is exposed unintentionally.

There might be a small set of sites where it is accepted and converted to GET 
without any security side effects, or exposed intentionally as a part of an 
API; in these cases, it's OK to ignore the bug.

Original comment by lcam...@gmail.com on 20 Jul 2010 at 7:11

GoogleCodeExporter commented 9 years ago
Will the high risk (red) apply to POST method too? 

What if PUT/POST etc can only be accepted for the authenticated sessions? Will 
that generate high risk issue if assuming we can use skipfish to scan with user 
id?

Thanks.

Original comment by jli...@gmail.com on 20 Jul 2010 at 8:07

GoogleCodeExporter commented 9 years ago
POST usually does not have any inherent security consequences, and is not 
listed as a potential problem in the report.

See:
http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)#S
hort_Description_of_the_Issue

Original comment by lcam...@gmail.com on 20 Jul 2010 at 8:34

GoogleCodeExporter commented 9 years ago
Thanks a lot.

Original comment by jli...@gmail.com on 20 Jul 2010 at 11:05