[3130] in WWW Security List Archive
Re: Potential threat with some HTTP REQUEST METHODS?
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Wed Oct 2 12:11:17 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: ddion@gel.ulaval.ca (Denis Dion Jr.), www-security@ns2.rutgers.edu
Date: Wed, 2 Oct 1996 09:01:20 -0500 (CDT)
In-Reply-To: <Pine.SUN.3.91.961001200222.24656A-100000@escoumins.gel.ulaval.ca> from "Denis Dion Jr." at Oct 1, 96 08:12:13 pm
Errors-To: owner-www-security@ns2.rutgers.edu
> Date: Tue, 1 Oct 1996 20:12:13 -0400 (EDT)
> From: "Denis Dion Jr." <ddion@gel.ulaval.ca>
> To: www-security@ns2.rutgers.edu
> Subject: Potential threat with some HTTP REQUEST METHODS?
>
> There's A LOT of informations about both HTTP request methods GET and
> POST. Of course, these are used 99% of the time.
>
> But what about these methods? PUT, HEAD, DELETE, LINK, UNLINK
> There doesn't seem to be any available information, even though I just
> read that some of these methods are used to TELL THE SERVER TO
> MODIFY A LINK OR A FILE ON THE SERVER... Seems pretty dangerous isn't it???
>
> So, I'd REALLY appreciate if someone could send me information about
> these annoying request methods. If they represent potential threat, why
> aren't they more well documented???
The purpose and syntax of these methods is documented in the HTTP
protocol standards at w3.org:
http://www.w3.org/pub/WWW/Protocols/
However, for implementation details you'll have to look for docs on each
particular HTTP server. In fact, most servers don't implement most of
these methods, which is why they're less well known. Of course, in some
ways a little-used element of the protocol may be more dangerous than a
well-known one, since a server which does attempt to implement it may
contain undiscovered bugs or design flaws.
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
