Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Support for Various HTTP Methods on the Web

113 views

Published on

For a detailed technical report refer to our preprint publication, "Support for Various HTTP Methods on the Web" (https://arxiv.org/abs/1405.2330) from 2014. While analyzing the distribution of support for HTTP methods on the web we inadvertently documented OptionsBleed vulnerability. These slides were initially prepared to give a guest lecture in the CS 531 Web Server Design (Fall 2018) course at Old Dominion University.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Support for Various HTTP Methods on the Web

  1. 1. Sawood Alam, Charles L. Cartledge, and Michael L. Nelson Web Science and Digital Libraries Research Group Old Dominion University Norfolk, Virginia, USA @ibnesayeed CS 531 Web Server Design November 28, 2018 https://arxiv.org/abs/1405.2330 Support for Various HTTP Methods on the Web
  2. 2. Introduction 2@ibnesayeed ● Randomly selected 100,000 URIs from a historical DMOZ collection ● Filtered 40,870 live URIs from the sample ● Performed OPTIONS request to read Allow header ● Analyzed support for seven most common HTTP methods over various parameters ● We did not check to see if the URIs respond to methods returned in the Allow header Published Tech Report: https://arxiv.org/abs/1405.2330
  3. 3. HTTP Method Mapping with Resource Action 3@ibnesayeed
  4. 4. Example URI Constructs in REST vs. RPC 4@ibnesayeed
  5. 5. HTTP Method Support 5@ibnesayeed
  6. 6. OPTIONS Request and Response 6@ibnesayeed
  7. 7. Process of Method Support Analysis 7@ibnesayeed
  8. 8. Path Depths for URIs in Sample Set 8@ibnesayeed
  9. 9. TLD Distribution for Sample Set URIs 9@ibnesayeed
  10. 10. Response Codes for OPTIONS Requests 10@ibnesayeed
  11. 11. Method Not Implemented 11@ibnesayeed
  12. 12. Method Not Allowed 12@ibnesayeed
  13. 13. Limited CRUD Support 13@ibnesayeed
  14. 14. Full CRUD Support 14@ibnesayeed
  15. 15. Response Changes for Different User-Agents 15@ibnesayeed
  16. 16. Allow Header with Control Characters 16@ibnesayeed
  17. 17. Allow Header with Malformed Method Names 17@ibnesayeed OptionsBleed Story: http://archive.is/1zbMs
  18. 18. Allow Header with Lower-case Method Names 18@ibnesayeed
  19. 19. Allow Header with Space-separated Method Names 19@ibnesayeed
  20. 20. Summarized Method Support Distribution 20@ibnesayeed
  21. 21. Categorized Method Support Distribution 21@ibnesayeed
  22. 22. Interleaved Method Support Distribution 22@ibnesayeed
  23. 23. Method Support Across Web Server Software in % 23@ibnesayeed
  24. 24. Method Support Over Path Depths in % 24@ibnesayeed
  25. 25. Conclusions 25@ibnesayeed ● Randomly selected 100,000 URIs from a historical DMOZ collection ● Filtered 40,870 live URIs from the sample ● Performed OPTIONS request to read Allow header ● About 44% live URIs either did not return Allow header or did not include any of the seven common HTTP methods ● About 15% live URIs claimed support for only OPTIONS, HEAD, and GET ● About 39% live URIs claimed support for only OPTIONS, HEAD, GET, and POST ● Only 1% live URIs claimed support for all seven common HTTP methods ● We did not check to see if the URIs respond to methods returned in the Allow header Published Tech Report: https://arxiv.org/abs/1405.2330

×