I think HEAD would probably be OK.  At least, I'm not aware of any exploits that would enable.

--Richard


On Thu, Nov 21, 2013 at 1:30 PM, Imre Szvorenyi <ax@initrd.net> wrote:
Hi,


HEAD would be better imho because TRACE mode is usually disabled. 
(vulnerability scanners tend to complain about it so it will be disabled most of the time...)

ax






On Thu, Nov 21, 2013 at 7:23 PM, Mark Delany <f4w@echo.emu.st> wrote:
On 21Nov13, Richard Barnes allegedly wrote:
> > GET requests should not alter state; if they do, arguably the problem
> > there lies with the design of the faulty website.
> >
> >
> Indeed, that is what the HTTP spec says. But there are a good number of
> fault websites out there, and it seems bad to have Atlas be a tool to
> exploit them.

Agreed. Given the infinite monkeys that have written piblic facing web
services, there is bound to be web sites that use HTTP verbs in weird
and wonderful ways.

But what about using HEAD?

That would serve a lot of monitoring purposes as it can give you
connect time and time to first byte, it doesn't return any content so
the problem of fetching dodgy content is mitigated and the size of the
payload is much more constrained.

Another alternative is to only allow something like the "OPTION" or
"TRACE" verbs.

For those probing their own systems they could implement these VERBs
but even if those VERBS aren't implemented you still get time to first
byte as a consequence of the error returned.


Mark.