Arshan Dabirsiaghi (see links) discovered that many web application frameworks allowed well chosen or arbitrary HTTP methods to bypass an environment level access control check: In many cases, code which explicitly checked for a "GET" or "POST" method would be safe.
This attack technique was discovered by Jeremiah Grossman in 2003, in an attempt to bypass the HTTPOnly tag that Microsoft introduced in Internet Explorer 6 SP1 to protect cookies from being accessed by Java Script.
As a matter of fact, one of the most recurring attack patterns in Cross Site Scripting is to access the document.cookie object and send it to a web server controlled by the attacker so that he or she can hijack the victim's session.
Tagging a cookie as http Only forbids Java Script from accessing it, protecting it from being sent to a third party.
However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.
If the tester feels that the system is vulnerable to this issue, they should issue CSRF-like attacks to exploit the issue more fully: With some luck, using the above three commands - modified to suit the application under test and testing requirements - a new user would be created, a password assigned, and made an administrator.
However, if the tester obtains a "200" response that is not a login page, it is possible to bypass authentication and thus authorization.The testing method is extremely straightforward and we only need to fire up netcat (or telnet): $ nc OPTIONS / HTTP/1.1 Host: 200 OK Server: Microsoft-IIS/5.0 Date: Tue, GMT Connection: close Allow: GET, HEAD, POST, TRACE, OPTIONS Content-Length: 0 As we can see in the example, OPTIONS provides a list of the methods that are supported by the web server, and in this case we can see that TRACE method is enabled.The danger that is posed by this method is illustrated in the following section The same test can also be executed using nmap and the http-methods NSE script: nmap -p 443 --script http-methods localhost Starting Nmap 6.40 ( at 2015-11-04 Romance Standard Time Nmap scan report for localhost (127.0.0.1) Host is up (0.0094s latency).If the tester thinks that the system is vulnerable to this issue, they should issue CSRF-like attacks to exploit the issue more fully: With some luck, using the above three commands - modified to suit the application under test and testing requirements - a new user would be created, a password assigned, and made an administrator, all using blind request submission.With Cloud Flare's release of HTTP/2 for all our customers the web suddenly has a lot of HTTP/2 connections.The test URL in this example works like this, as do many web applications.