Pentest Journeys
Connect
  • Welcome!
  • Boxes
    • Categories
    • Starting Point
      • Unified
      • Three
    • Easy
      • Forest
      • Sauna
      • Active
      • Broker
      • Return
      • Timelapse
      • Support
      • Nibbles
      • Keeper
      • CozyHosting
      • Devvortex
      • Lame
      • FunBoxEasyEnum
      • Inclusiveness
      • Potato
      • Sumo
    • Medium
      • Resolute
      • Cascade
      • Monteverde
      • Intelligence
      • StreamIO
      • Loly
    • Hard
      • Mantis
      • Blackfield
      • Reel
    • Insane
      • Sizzle
      • Multimaster
      • Rebound
  • Cloud
    • Public Snapshots
  • TL;DR
    • Active Directory
      • AD Authentication
      • Access Controls
      • Recon
      • Groups
        • Account Operators
        • Backup Operators
        • DnsAdmins
        • Exchange Windows Permissions
        • Server Operators
      • Privileges
        • SeBackupPrivilege
        • SeImpersonatePrivilege
      • Permissions
        • AddSelf
        • DCSync
        • ForceChangePassword
        • FullControl
        • GenericAll
        • GenericWrite
        • Owns
        • ReadGMSAPassword
        • ReadLAPSPassword
        • WriteDACL
        • WriteOwner
      • Attacks
        • Password Spraying
        • ASREPRoasting
        • Kerberoasting
        • Silver Tickets
        • DCSync
        • Delegation
          • Unconstrained
          • Constrained
          • Resource-Based
        • Local SAM Dump
        • NTLMv2
        • Services
        • Scheduled Tasks
        • Exploits
      • Lateral Movement
        • WMI & WinRM
        • PsExec
        • Pass-the-Hash
        • Overpass-the-Hash
        • Pass-the-Ticket
        • DCOM
        • SSP Injection
      • Persistence
        • Golden Ticket
        • Shadow Copies
    • Web
      • Common Findings
        • Security Headers
        • Cookie Flags
        • SSL/TLS
      • Authentication
        • Broken Reset Logic
        • Brute Force Attacks
        • Rate Limiting
        • Session Tokens
        • MFA
        • JWTs
      • Authorization
        • IDOR / BOLA
        • IDOR / BFLA
        • Weak Access Controls
        • Automated A-B Testing
      • Injections
        • SQLi
          • SQLi 101
          • In Band
          • Blind
          • NoSQLi
          • Second Order
          • Other
        • XSS
          • XSS 101
          • Reflected
          • Stored
          • DOM-Based
          • Exploitation
          • Payloads
        • CI
          • CI
          • Filters
          • Examples
        • SSTI
          • SSTI 101
          • Twig
          • Freemarker
          • Pug
          • Jinja
          • Mustache
          • Handlebars
          • Mako
          • Case Study: Craft CMS
        • XXEI
          • XML 101
          • XXEI
      • File Inclusion
        • LFI & RFI
        • RCE
      • Cross-Origin
        • Cross-Origin 101
        • CSRF
        • CORS
      • File Uploads
      • Mass Assignment
      • WebSockets
      • Open Redirects
      • Race Conditions
      • SSRF
        • Exploitation
        • Examples
    • API
      • What is an API?
      • Useful Terms
      • Collection Creation
      • Enumeration
      • Tests
        • General
        • Security Misconfigurations
        • Authorization
          • BOLA
          • BFLA
        • Authentication
          • BFAs
          • Tokens
          • JWTs
            • Entropy Analysis
            • Signature Validation
            • Weak Signature
            • Header Injection
            • Algorithm Confusion
        • Excessive Data Exposure
        • HTTP Verb Tampering
        • Content Type Tampering
        • Improper Asset Management
        • Mass Assignment
        • SSRF
        • Unrestriced Resource Consumption
        • Unrestricted Access to Sensitive Business Flows
        • Unsafe API Consumption
    • Infra
      • Windows
      • Linux
      • FreeBSD
    • Pivoting
      • Networking 101
      • Port Foward
      • SSH Tunelling
      • Deep Packet Inspection
        • HTTP Tunneling
        • DNS Tunneling
    • Social Engineering
      • Phising
    • Cloud
      • AWS
        • Recon
    • Code Review
  • Tools
    • Web
      • Web Checklist
      • API
        • mitmweb
        • KiteRunner
        • Arjun
        • jwt_tool
      • Dirbusting
        • Fuff
        • Dirsearch
        • GoBuster
        • Wfuzz
      • Cloud
        • AWS
      • cURL
      • Hydra
      • Hakrawler
      • amass
      • WAFs
      • WhatWeb
      • Creds
      • SQLMap
      • GoWitness
      • Web Servers
        • Apache
        • Nginx
        • IIS
      • Frameworks
        • Spring
      • CMS
        • WordPress
        • Joomla
        • DNN
        • Umbraco
        • RiteCMS
      • DevOps
        • GitLab
        • Git Tools
      • BurpSuite
    • Infra
      • pspy
    • Port Scanners
      • Nmap
      • Rustscan
      • Arp-Scan
      • Netcat
      • PowerShell
    • Active Directory
      • netexec
      • impacket
      • mimikatz
      • Hounds
      • PowerView
      • SysInternals
      • net.exe
      • ldapsearch
      • BloodyAD
      • PowerView.py
      • Rubeus
      • DPAT
      • PingCastle
      • PowerUp
      • runas
      • Kerbrute
    • Passwords
      • HashID
      • Hashcat
      • John
      • DomainPasswordSpray
      • Credential Enum
    • Searchsploit
    • Metasploit
      • 101
      • Payloads
      • Post-Exploitation
      • Resource Scripts
    • Usernames
    • Vulnerability Scanners
      • Nuclei
      • Nikto
    • Text
      • jq
      • grep
      • awk
      • sed
      • tr
      • printf
    • Output
      • tee
    • Pivoting
      • Ligolo-ng
      • Sshuttle
    • Shells
      • Reverse Shells
      • Webshells
      • Upgrade
      • Listeners
        • Socat
        • Pwncat
        • Nc
    • Traffic Capture
    • File Transfers
    • Crypto
    • Files
    • Images
    • Evil-WinRM
    • KeePass
    • Random Scripts
  • Services
    • TCP
      • Remote Access
        • SSH (22)
        • RDP (3389)
        • WinRM (5985,5986)
      • Shares
        • FTP (21)
        • NFS (111, 2049)
        • SMB (139, 445)
      • LDAP (389, 636)
      • DNS (53)
      • SMTP (25,587)
      • DISTCC (3632)
      • AFS (1978)
      • DBMS
        • SQL
          • MSSQL (1433)
          • Oracle (1521)
          • MySQL (3306)
          • MariaDB (3306)
          • PostgreSQL (5432)
        • NoSQL
          • Aerospike (3000-3005)
          • MongoDB (27017)
    • UDP
      • SNMP (161)
  • OTHER
    • Exploits
      • Screen
    • CLIs
      • CMD
      • PowerShell
  • Package Managers
    • vevn
    • uv
  • Blue Team Stuff
    • Logs
      • System Logs
      • Apache2
      • Volatile Data
    • Traffic Analysis
      • Wireshark
Powered by GitBook
On this page
  • Burp
  • Manual
  • Fuzzing
  • CLI
  • Fuzzing
  • Nmap

Was this helpful?

  1. TL;DR
  2. API
  3. Tests

HTTP Verb Tampering

PreviousExcessive Data ExposureNextContent Type Tampering

Last updated 9 months ago

Was this helpful?

HTTP Verb Tampering is a vulnerability where an attacker manipulates the HTTP method (e.g., GET, POST, PUT, DELETE) used in requests to bypass security controls or access unauthorized functionality.

This can lead to unauthorized actions, data modification, or security breaches if the application does not properly validate or restrict HTTP methods.

Implement strict server-side validation of allowed HTTP methods, use proper access controls for each method, and configure web servers and applications to reject unsupported or unexpected methods.

Burp

We can test for HTTP verb tampering with Burp on a request-by-request basis either manually (Figure 1, 2, & 3) or with Intruder (Figure 4 & 5).

Manual

The below example is based on PortSwigger's lab.

Fuzzing

CLI

Fuzzing

# Fuzzing for allowed methods in CLI
ffuf -u http://localhost:8888/workshop/api/shop/products -w /usr/share/wordlists/seclists/Fuzzing/http-request-methods.txt -X FUZZ -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ4NzMzMUBtYWlsLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNzE5MzkzOTkwLCJleHAiOjE3MTk5OTg3OTB9.jZkxMQq8rbFtlBJyNcaNArb-BOv6Rfv1SrKO2cJE1sxmetAcImaLkplWfLzVNBXYeZpmB8DlIXUKrK0IHpJ744Jze_YaOrgbHqGg2ysbCfbKPZLwgSKDj0D2gjc21MIdQ3nqrpHi9wC-9rPMTUs5_S6L8-zyDf6PS5CWhxfsPJKXiqR54XJ1w95Xfy0lWbSQ7-O15ETC5AuDFZJkymGwqDJU77Rsl4143LZQEZIwPmDMiMqIWnEsJAIgRFxo0GfK7M4gtrBxN1WhzTwjOyFbNju7plY965Tu8IMQiGsiAGYtQOOcxdxtuSLl4fF6xbDvXyR5ccP4hpuCvOimZjYXgQ' -c -mc all -fc 405

# Or
$ ffuf -u http://localhost:8888/workshop/api/shop/products -w /usr/share/wordlists/seclists/Fuzzing/http-request-methods.txt -X FUZZ -c -fc 405

Nmap

$ nmap --script http-methods --script-args http-methods.url-path='/workshop/api/shop/orders' localhost -p 8443
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 12:08 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000079s latency).

PORT     STATE SERVICE
8443/tcp open  https-alt
| http-methods:
|   Supported Methods: GET POST PUT HEAD OPTIONS
|   Potentially risky methods: PUT
|_  Path tested: /workshop/api/shop/orders

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

The below example as well as the ones on the are based on the application.

We can also use the Nmap's script.

http-methods
crAPI
CLI section
Finding and exploiting an unused API endpoint
Figure 1: Testing different HTTP verbs.
Figure 2: Getting hints from verbose errors.
Figure 3: Exploiting the HTTP verb tampering flaw.
Figure 4: Using Intruder to fuzz for various HTTP verbs.
Figure 5: Reviewing Intruder's results.