# HTTP Verb Tampering

## **Introduction**

> * An HTTP Verb Tampering attack exploits web servers that accept many HTTP verbs and methods.
> * This can be exploited by sending malicious requests using **unexpected HTTP methods**
> * This allows bypassing the web application's authorization mechanisms or even bypassing its security controls.

***

## **HTTP Verbs**

1. `GET`: Request data from a specified resource
2. `POST`: Send data to a server to create/update a resource
3. `HEAD`: Identical to a GET request, but its response only contains the `headers`, without the response body
4. `PUT`: Writes the request payload to the specified location
5. `DELETE`: Deletes the resource at the specified location
6. `OPTIONS`: Shows different options accepted by a web server, like accepted HTTP verbs
7. `PATCH`: Apply partial modifications to the resource at the specified location

***

## **HTTP Verbs Enumeration**

To identify an HTTP Verb Tampering Vulnerability:

1. **Insecure configuration** such as: `<Limit GET POST> require valid-user </Limit>` This allows any method other than GET and POST to bypass any user validity checks
2. **Insecure coding** such as a PHP file with an explicit declaration of an HTTP Method, e.g. `if(..., $_GET["code"]`. This allows any method other than GET to bypass the if check
3. **Show all available HTTP Methods**: `curl -i -X OPTIONS http://SERVER:PORT`

***

## **Examples of HTTP Verb Tampering**

1. **Bypassing Basic Authentication:** sometimes it's possible to bypass HTTP Basic Auth by simply changing the HTTP verb
2. **Bypassing Security Filters:** sometimes it's possible to bypass security filters whenever an error message as "cannot GET *resourcename*" is shown
3. **Forcing Errors:** sometimes it's possible to show error logs by just using unexpected HTTP Verbs


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.sfoffo.com/web-applications/web-attacks/http-verb-tampering.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.