HTTP Verb Tampering

PreviousBusiness Logic Flaws NextBypass 401 & 403

Last updated 5 months ago

Was this helpful?

HTTP Verb Tampering

HTTP Verb Tampering is a vulnerability where attackers manipulate HTTP methods to bypass security controls in web applications. Many applications secure certain actions based on specific HTTP methods but they often fail to secure less commonly used methods like PUT, DELETE or PATCH.

Workflow

Receive a 401 Unauthorized Response -> indicating the need for valid credentials.
Send an OPTIONS Request -> This request asks the server to list all the allowed HTTP methods (verbs) for the resource.
Attempt to Bypass with Different Verbs -> Knowing which verbs are allowed, change the HTTP method and resend the request to see if bypassing authentication or other restrictions is possible.

Insecure Configuration

HTTP Verb Tampering vulnerabilities can occur in most modern web servers, including Apache, Tomcat, and ASP.NET. The vulnerability usually happens when we limit a page's authorization to a particular set of HTTP verbs/methods, which leaves the other remaining methods unprotected.

1. Insecure configuration in `.htaccess` (Apache configuration file) leads to access Admin Panel through HTTP Verb Tampering:

The authorization for the Admin directory will only apply to GET requests, leaving the page accessible through POST requests.

2. Insecure configuration in `web.xml` (Tomcat configuration file) leads to access Admin panel through HTTP Verb Tampering:

We can see that the authorization is being limited only to the GET method with http-method, which leaves the page accessible through other HTTP methods.

3. Insecure configuration in `web.config` (ASP.NET configuration file) leads to access Admin panel through HTTP Verb Tampering:

The following is an example for an ASP.NET configuration found in the web.config file of a web application. The allow and deny scope is limited to the GET method, which leaves the web application accessible through other HTTP methods.

Insecure Coding

While identifying and patching insecure web server configurations is relatively easy, doing the same for insecure code is much more challenging. This is because to identify this vulnerability in the code, we need to find inconsistencies in the use of HTTP parameters across functions, as in some instances, this may lead to unprotected functionalities and filters.

In the following example, we can see pattern restrictions applied to GET requests to block SQL injections, but the developers did not consider other HTTP methods:

PreviousBusiness Logic Flaws NextBypass 401 & 403

Last updated 5 months ago

Was this helpful?

Workflow

Receive a 401 Unauthorized Response -> indicating the need for valid credentials.
Send an OPTIONS Request -> This request asks the server to list all the allowed HTTP methods (verbs) for the resource.
Attempt to Bypass with Different Verbs -> Knowing which verbs are allowed, change the HTTP method and resend the request to see if bypassing authentication or other restrictions is possible.

Insecure Configuration

1. Insecure configuration in `.htaccess` (Apache configuration file) leads to access Admin Panel through HTTP Verb Tampering:

The authorization for the Admin directory will only apply to GET requests, leaving the page accessible through POST requests.

2. Insecure configuration in `web.xml` (Tomcat configuration file) leads to access Admin panel through HTTP Verb Tampering:

We can see that the authorization is being limited only to the GET method with http-method, which leaves the page accessible through other HTTP methods.

3. Insecure configuration in `web.config` (ASP.NET configuration file) leads to access Admin panel through HTTP Verb Tampering:

Insecure Coding

In the following example, we can see pattern restrictions applied to GET requests to block SQL injections, but the developers did not consider other HTTP methods: