HTTP Verb Tampering
if the web server configurations are not restricted to only accept the HTTP methods required by the web server (e.g. GET
/POST
), and the web application is not developed to handle other types of HTTP requests (e.g. HEAD
, PUT
), then we may be able to exploit this insecure configuration to gain access to functionalities we do not have access to, or even bypass certain security controls.
To see whether the server accepts HTTP
requests, we can send an OPTIONS
request to it and see what HTTP methods are accepted, as follows:
Bypassing Basic Authentication
To check whether we can bypass Auth with an HTTP Verb Tampering attack. To do so, we need to identify which pages are restricted by this authentication.
To try and exploit the page, we need to identify the HTTP request method used by the web application
see whether the Authentication covers Other requests
try Changing requests
Bypassing Security Filters
try an HTTP Verb Tampering attack to see if you can bypass the security filter altogether.
Prevention
To avoid HTTP Verb Tampering vulnerabilities in our code, we must be consistent with our use of HTTP methods
and ensure that the same method is always used for any specific functionality across the web application. It is always advised to expand the scope of testing in security filters
by testing all request parameters. This can be done with the following functions and variables:
PHP
$_REQUEST['param']
Java
request.getParameter('param')
C#
Request['param']
Last updated