For a detailed technical report refer to our preprint publication, "Support for Various HTTP Methods on the Web" (https://arxiv.org/abs/1405.2330) from 2014. While analyzing the distribution of support for HTTP methods on the web we inadvertently documented OptionsBleed vulnerability. These slides were initially prepared to give a guest lecture in the CS 531 Web Server Design (Fall 2018) course at Old Dominion University.
1. Sawood Alam, Charles L. Cartledge, and Michael L. Nelson
Web Science and Digital Libraries Research Group
Old Dominion University
Norfolk, Virginia, USA
@ibnesayeed
CS 531 Web Server Design
November 28, 2018
https://arxiv.org/abs/1405.2330
Support for Various
HTTP Methods on the Web
2. Introduction
2@ibnesayeed
● Randomly selected 100,000 URIs from a historical DMOZ collection
● Filtered 40,870 live URIs from the sample
● Performed OPTIONS request to read Allow header
● Analyzed support for seven most common HTTP methods over various parameters
● We did not check to see if the URIs respond to methods returned in the Allow header
Published Tech Report: https://arxiv.org/abs/1405.2330
25. Conclusions
25@ibnesayeed
● Randomly selected 100,000 URIs from a historical DMOZ collection
● Filtered 40,870 live URIs from the sample
● Performed OPTIONS request to read Allow header
● About 44% live URIs either did not return Allow header or did not include any of the seven
common HTTP methods
● About 15% live URIs claimed support for only OPTIONS, HEAD, and GET
● About 39% live URIs claimed support for only OPTIONS, HEAD, GET, and POST
● Only 1% live URIs claimed support for all seven common HTTP methods
● We did not check to see if the URIs respond to methods returned in the Allow header
Published Tech Report: https://arxiv.org/abs/1405.2330