HTTP Verb Tampering

HTTP Verbs

9 different verbs

Causes

• Insecure Configuration

<Limit GET POST>
    Require valid-user
</Limit>

• Insecure Coding

$pattern = "/^[A-Za-z\s]+$/";

if(preg_match($pattern, $_GET["code"])) {
    $query = "Select * from ports where port_code like '%" . $_REQUEST["code"] . "%'";
    // ...SNIP...
}

Exploit

• POST -> GET

• VERB -> Other allowed in OPTIONS

Prevention

• Fix Application Config (Add Authorizations for ALL verbs) or disallow unused verbs (HEAD)

• Be consistent in the use of HTTP methods when coding