HTTP verb tampering via POST
Description
HTTP Verb Tampering is an authentication bypass vulnerability that occurs when security controls restrict access based on specific HTTP methods (verbs) but fail to block unlisted methods. This vulnerability was detected when a POST request successfully bypassed authorization controls that should have protected the resource. The vulnerability exists when: (1) security controls use an allowlist of HTTP verbs, (2) the controls do not explicitly deny unlisted verbs, and (3) the application processes requests using non-standard verbs or treats them as standard GET/POST operations. This commonly affects Apache servers using <Limit> directives in .htaccess files, which only restrict specified verbs while leaving others unrestricted.
Remediation
Implement proper HTTP verb restrictions using secure configuration practices:<br/><br/><strong>For Apache servers with .htaccess:</strong><br/>Replace <code><Limit></code> directives with <code><LimitExcept></code> to explicitly allow only safe methods while blocking all others:<br/><pre> <LimitExcept GET POST> Require all denied </LimitExcept> <Limit GET POST> Require valid-user </Limit> </pre><br/><strong>General recommendations:</strong><br/><ul><li>Configure security controls to use a denylist approach that blocks all HTTP verbs except those explicitly required</li><li>Ensure authentication and authorization checks are applied uniformly regardless of the HTTP verb used</li><li>Validate that application frameworks enforce verb restrictions at both the web server and application layer</li><li>Implement strict request method validation in application code to reject unexpected HTTP verbs</li><li>Review and test all protected endpoints to confirm they properly enforce access controls for all HTTP methods</li></ul>