Security Vulnerability
HTTP Verb Tampering
Understanding HTTP Method Override attacks and how to prevent them
HTTP Verb Tampering is a web security vulnerability that occurs when an attacker manipulates the HTTP request method to bypass security controls or gain unauthorized access to resources.
How HTTP Verb Tampering Works
Understanding the mechanics of HTTP method manipulation attacks
Web applications rely on HTTP verbs to determine the intended action for a request. Attackers can manipulate these methods to bypass security controls:
Standard HTTP Methods:
- GET- Retrieves data
- POST- Creates new data
- PUT- Updates existing data
- DELETE- Deletes data
- PATCH- Partial updates
Attack Scenarios:
- • Changing GET to POST to bypass CSRF protection
- • Using PUT instead of POST for privilege escalation
- • DELETE method to remove unauthorized data
- • HEAD method to bypass logging mechanisms
Attack Example
Real-world example of HTTP verb tampering exploitation
Vulnerable Endpoint:
GET /api/users/123 - View user profile
POST /api/users/123 - Update user profile (admin only)Attack Request:
POST /api/users/123 HTTP/1.1
Host: vulnerable-app.com
Content-Type: application/json
X-HTTP-Method-Override: PUT
{"role": "admin", "permissions": "all"}The attacker uses POST but overrides it to PUT, potentially bypassing authorization checks that only validate the original method.
Prevention Strategies
Best practices to prevent HTTP verb tampering attacks
1. Validate HTTP Methods
// Express.js example
app.use('/api/users/:id', (req, res, next) => {
const allowedMethods = ['GET', 'POST'];
if (!allowedMethods.includes(req.method)) {
return res.status(405).json({ error: 'Method not allowed' });
}
next();
});2. Implement Proper Authorization
- • Check permissions for each specific action, not just the endpoint
- • Validate user roles and permissions on every request
- • Use consistent authorization logic across all HTTP methods
- • Implement the principle of least privilege
3. Disable Method Override Headers
// Disable dangerous headers
app.use((req, res, next) => {
delete req.headers['x-http-method-override'];
delete req.headers['x-method-override'];
next();
});4. Use Framework Security Features
- • Configure web server to restrict allowed methods
- • Use framework-specific method validation
- • Implement CSRF protection for state-changing operations
- • Enable comprehensive request logging and monitoring
Testing for HTTP Verb Tampering
How to identify verb tampering vulnerabilities in your applications
Manual Testing Steps:
- Identify all endpoints and their expected HTTP methods
- Try accessing each endpoint with different HTTP verbs
- Test with method override headers (X-HTTP-Method-Override)
- Check if unauthorized actions can be performed
- Verify that proper error messages are returned
Automated Testing Tools:
- • Burp Suite: HTTP method tampering extensions
- • OWASP ZAP: Active scan rules for method testing
- • Nikto: Web server method enumeration
- • Custom scripts: Automated method fuzzing