HTTP Verb Tampering


  • An HTTP Verb Tampering attack exploits web servers that accept many HTTP verbs and methods.

  • This can be exploited by sending malicious requests using unexpected HTTP methods

  • This allows bypassing the web application's authorization mechanisms or even bypassing its security controls.

HTTP Verbs

  1. GET: Request data from a specified resource

  2. POST: Send data to a server to create/update a resource

  3. HEAD: Identical to a GET request, but its response only contains the headers, without the response body

  4. PUT: Writes the request payload to the specified location

  5. DELETE: Deletes the resource at the specified location

  6. OPTIONS: Shows different options accepted by a web server, like accepted HTTP verbs

  7. PATCH: Apply partial modifications to the resource at the specified location

HTTP Verbs Enumeration

To identify an HTTP Verb Tampering Vulnerability:

  1. Insecure configuration such as: <Limit GET POST> require valid-user </Limit> This allows any method other than GET and POST to bypass any user validity checks

  2. Insecure coding such as a PHP file with an explicit declaration of an HTTP Method, e.g. if(..., $_GET["code"]. This allows any method other than GET to bypass the if check

  3. Show all available HTTP Methods: curl -i -X OPTIONS http://SERVER:PORT

Examples of HTTP Verb Tampering

  1. Bypassing Basic Authentication: sometimes it's possible to bypass HTTP Basic Auth by simply changing the HTTP verb

  2. Bypassing Security Filters: sometimes it's possible to bypass security filters whenever an error message as "cannot GET resourcename" is shown

  3. Forcing Errors: sometimes it's possible to show error logs by just using unexpected HTTP Verbs

Last updated