Method Tampering

Description

HTTP Method Tampering (also known as HTTP Verb Tampering) is a vulnerability that occurs when web applications or servers implement authorization controls that only restrict specific HTTP methods (such as GET or POST) but fail to block other valid or custom HTTP methods. This allows attackers to bypass authentication and authorization mechanisms by using alternative HTTP verbs like HEAD, PUT, DELETE, TRACE, or even arbitrary custom methods. The vulnerability typically arises from incomplete access control configurations that use allowlists of HTTP methods rather than denylists, leaving unspecified methods unrestricted. In this case, the scanner successfully bypassed authorization by using a custom HTTP verb (WVS), demonstrating that the application does not properly validate or restrict all HTTP methods.

Remediation

Implement proper HTTP method validation and access controls across all endpoints. Specifically:<br/><br/><strong>For Apache with .htaccess:</strong><br/>Use <code>LimitExcept</code> instead of <code>Limit</code> to deny all HTTP methods except those explicitly allowed:<br/><pre>&lt;LimitExcept GET POST&gt; Require all denied &lt;/LimitExcept&gt; &lt;Limit GET POST&gt; Require valid-user &lt;/Limit&gt;</pre><br/><strong>General recommendations:</strong><br/><ul><li>Configure your web server and application framework to reject unrecognized or unexpected HTTP methods</li><li>Implement authorization checks that are method-agnostic and apply to all HTTP verbs</li><li>Explicitly define which HTTP methods are allowed for each endpoint and reject all others</li><li>Ensure that security controls are applied at the application layer, not just the web server layer</li><li>Test your access controls with various HTTP methods including HEAD, OPTIONS, PUT, DELETE, TRACE, TRACK, and custom verbs</li></ul>Consult the referenced OWASP testing guide for platform-specific remediation steps.

References

Related Vulnerabilities