Webapp security

Summary of many topics from webapp security

Bypass .htaccess

TL;DR

curl -X PUT http://example/flag

curl -X GETS http://example/flag

Why its work?

PUT

Sometimes only GET and POST are restricted, where different methods are allowed

GETS

Sometimes unknown methods are pass by Apache to PHP engine, which should interpreted it by himself. But if it is not implemented, by default it is threated as GET. It is feature, not bug, for implementing new protocols like DAV PROPFIND.

Correct htaccess: .. code-block:

<Limit GET POST>
  require valid-user
</Limit>

<LimitExcept GET POST>
  Order Allow,Deny
  Deny from all
</LimitExcept>

References

https://locallost.net/?p=129

https://security.stackexchange.com/questions/177279/how-to-bypass-htaccess-protection