HTTP Verb Tampering

HTTP Verb Tampering is a vulnerability where an attacker manipulates the HTTP method (e.g., GET, POST, PUT, DELETE) used in requests to bypass security controls or access unauthorized functionality.

This can lead to unauthorized actions, data modification, or security breaches if the application does not properly validate or restrict HTTP methods.

Implement strict server-side validation of allowed HTTP methods, use proper access controls for each method, and configure web servers and applications to reject unsupported or unexpected methods.

Burp

We can test for HTTP verb tampering with Burp on a request-by-request basis either manually (Figure 1, 2, & 3) or with Intruder (Figure 4 & 5).

Manual

The below example is based on PortSwigger's Finding and exploiting an unused API endpoint lab.

Figure 1: Testing different HTTP verbs.
Figure 2: Getting hints from verbose errors.
Figure 3: Exploiting the HTTP verb tampering flaw.

Fuzzing

The below example as well as the ones on the CLI section are based on the crAPI application.

Figure 4: Using Intruder to fuzz for various HTTP verbs.
Figure 5: Reviewing Intruder's results.

CLI

Fuzzing

# Fuzzing for allowed methods in CLI
ffuf -u http://localhost:8888/workshop/api/shop/products -w /usr/share/wordlists/seclists/Fuzzing/http-request-methods.txt -X FUZZ -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ4NzMzMUBtYWlsLmNvbSIsInJvbGUiOiJ1c2VyIiwiaWF0IjoxNzE5MzkzOTkwLCJleHAiOjE3MTk5OTg3OTB9.jZkxMQq8rbFtlBJyNcaNArb-BOv6Rfv1SrKO2cJE1sxmetAcImaLkplWfLzVNBXYeZpmB8DlIXUKrK0IHpJ744Jze_YaOrgbHqGg2ysbCfbKPZLwgSKDj0D2gjc21MIdQ3nqrpHi9wC-9rPMTUs5_S6L8-zyDf6PS5CWhxfsPJKXiqR54XJ1w95Xfy0lWbSQ7-O15ETC5AuDFZJkymGwqDJU77Rsl4143LZQEZIwPmDMiMqIWnEsJAIgRFxo0GfK7M4gtrBxN1WhzTwjOyFbNju7plY965Tu8IMQiGsiAGYtQOOcxdxtuSLl4fF6xbDvXyR5ccP4hpuCvOimZjYXgQ' -c -mc all -fc 405

# Or
$ ffuf -u http://localhost:8888/workshop/api/shop/products -w /usr/share/wordlists/seclists/Fuzzing/http-request-methods.txt -X FUZZ -c -fc 405

Nmap

We can also use the Nmap's http-methods script.

$ nmap --script http-methods --script-args http-methods.url-path='/workshop/api/shop/orders' localhost -p 8443
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 12:08 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000079s latency).

PORT     STATE SERVICE
8443/tcp open  https-alt
| http-methods:
|   Supported Methods: GET POST PUT HEAD OPTIONS
|   Potentially risky methods: PUT
|_  Path tested: /workshop/api/shop/orders

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
PreviousExcessive Data ExposureNextContent Type Tampering

Last updated

Was this helpful?