HTTP Verb Tampering

if the web server configurations are not restricted to only accept the HTTP methods required by the web server (e.g. GET/POST), and the web application is not developed to handle other types of HTTP requests (e.g. HEAD, PUT), then we may be able to exploit this insecure configuration to gain access to functionalities we do not have access to, or even bypass certain security controls.

To see whether the server accepts HTTP requests, we can send an OPTIONS request to it and see what HTTP methods are accepted, as follows:

curl -i -X OPTIONS http://SERVER_IP:PORT/

HTTP/1.1 200 OK
Date: 
Server: Apache/2.4.41 (Ubuntu)
Allow: POST,OPTIONS,HEAD,GET
Content-Length: 0
Content-Type: httpd/unix-directory

Bypassing Basic Authentication

To check whether we can bypass Auth with an HTTP Verb Tampering attack. To do so, we need to identify which pages are restricted by this authentication.

  • To try and exploit the page, we need to identify the HTTP request method used by the web application

  • see whether the Authentication covers Other requests

  • try Changing requests

Bypassing Security Filters

  • try an HTTP Verb Tampering attack to see if you can bypass the security filter altogether.

Prevention

To avoid HTTP Verb Tampering vulnerabilities in our code, we must be consistent with our use of HTTP methods and ensure that the same method is always used for any specific functionality across the web application. It is always advised to expand the scope of testing in security filters by testing all request parameters. This can be done with the following functions and variables:

Language
Function

PHP

$_REQUEST['param']

Java

request.getParameter('param')

C#

Request['param']

PreviousAbusing Intermediary ApplicationsNextIDOR

Last updated