HTTP PUT Security

Oğuz~#>

Oğuz~#>

Kıdemli Üye
5 Tem 2009
4,772
17
Bursa
Many web developers are familiar with the GET and POST methods of allowing a user to submit data to a web application. Lesser known is the PUT method, which allows a user to upload files and turn them automatically into new URL's.
Security & HTTP PUT


Many web developers are familiar with the GET and POST methods of allowing a user to submit data to a web application. Lesser known is the PUT method, which allows a user to upload files and turn them automatically into new URL's.
PUT can be dangerous if it is not properly locked down. In the worst case scenario, imagine a website allows anyone to PUT data. An attacker could craft a special php script which would add a new user account to the server with root (admin) access. The attacker then performs an HTTP PUT with this file, and a new URL would be formed. When the attacker navigates to this URL, the PHP file is executed by the web server, and can modify any files the web user on the system has access to, including existing web pages.
Sometimes PUT is a useful part of a web application. The key is making sure only authenticated users have access, and those authenticated users are carefully limited so only trusted users are allowed to perform PUT's. In this way, the PUT users are trusted as if they had an account on the server itself, and were able to upload or modify files via other methods, such as FTP.

How Does this Impact my Security?


If PUT requests are accepted by non-trusted accounts (generally non-administrator) or the web browsing public, then this will allow an attacker to take complete control of your site and possibly the entire web server as well.

Implementing HTTP PUT Security


If your website does not require PUT functionality, then it is recommended to switch to another secure protocol which uses specific user logins, such as SFTP. If PUT is needed for the application, be sure to lock down all users. A double authentication is the best method of ensuring this type of functionality - first with a web user login, and also with HTTP authentication.
In this manner, users will be named and limited in who can perform PUT requests.
 
Cevap yazmak için giriş yap yada kayıt ol.
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.