Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's been my job since 2005 to evaluate deployments of applications like these and I'm not sure I can call to mind any application I've ever seen that would have been insecure but for a perimeter filter on methods. URL-space, yes; I've seen things where "/admin" was perimeter-filtered. Methods, no: I've never seen an application where "PUT" was allowed on the internal network but perimeter-filtered so it wasn't allowed on the public network.

It's clearly happened, though; you can search for vulnerabilities tied to it. I just don't think it's all that common. Someone got a bounty from Google for a cloud.google.com service that used an internal proxy where XMO got them control over a PUT.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: