search

HTTP Verb Tampering

circle-info

HTTP Verb Tampering is a vulnerability where an attacker manipulates the HTTP method (e.g., GET, POST, PUT, DELETE) used in requests to bypass security controls or access unauthorized functionality.

triangle-exclamation

This can lead to unauthorized actions, data modification, or security breaches if the application does not properly validate or restrict HTTP methods.

circle-check

Implement strict server-side validation of allowed HTTP methods, use proper access controls for each method, and configure web servers and applications to reject unsupported or unexpected methods.

hashtag
Burp

We can test for HTTP verb tampering with Burp on a request-by-request basis either manually (Figure 1, 2, & 3) or with Intruder (Figure 4 & 5).

hashtag
Manual

The below example is based on PortSwigger's Finding and exploiting an unused API endpointarrow-up-right lab.

Figure 1: Testing different HTTP verbs.
Figure 2: Getting hints from verbose errors.
Figure 3: Exploiting the HTTP verb tampering flaw.

hashtag
Fuzzing

The below example as well as the ones on the CLI section are based on the crAPIarrow-up-right application.

Figure 4: Using Intruder to fuzz for various HTTP verbs.
Figure 5: Reviewing Intruder's results.

hashtag
CLI

hashtag
Fuzzing

hashtag
Nmap

We can also use the Nmap's http-methodsarrow-up-right script.

PreviousExcessive Data ExposureNextContent Type Tampering

Last updated