<div dir="ltr">Hi,<div><br></div><div><br></div><div>HEAD would be better imho because TRACE mode is usually disabled. </div><div>(vulnerability scanners tend to complain about it so it will be disabled most of the time...)</div>
<div><br></div><div>ax</div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Nov 21, 2013 at 7:23 PM, Mark Delany <span dir="ltr"><<a href="mailto:f4w@echo.emu.st" target="_blank">f4w@echo.emu.st</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 21Nov13, Richard Barnes allegedly wrote:<br>
> > GET requests should not alter state; if they do, arguably the problem<br>
> > there lies with the design of the faulty website.<br>
> ><br>
> ><br>
> Indeed, that is what the HTTP spec says. But there are a good number of<br>
> fault websites out there, and it seems bad to have Atlas be a tool to<br>
> exploit them.<br>
<br>
Agreed. Given the infinite monkeys that have written piblic facing web<br>
services, there is bound to be web sites that use HTTP verbs in weird<br>
and wonderful ways.<br>
<br>
But what about using HEAD?<br>
<br>
That would serve a lot of monitoring purposes as it can give you<br>
connect time and time to first byte, it doesn't return any content so<br>
the problem of fetching dodgy content is mitigated and the size of the<br>
payload is much more constrained.<br>
<br>
Another alternative is to only allow something like the "OPTION" or<br>
"TRACE" verbs.<br>
<br>
For those probing their own systems they could implement these VERBs<br>
but even if those VERBS aren't implemented you still get time to first<br>
byte as a consequence of the error returned.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
Mark.<br>
<br>
</font></span></blockquote></div><br></div>