HTTP verb tampering

Description
  • By manipulating the HTTP verb it was possible to bypass the authorization on this directory. The scanner sent a request with a custom HTTP verb (<strong>WVS</strong> in this case) and managed to bypass the authorization. The attacker can also try any of the valid HTTP verbs, such as HEAD, TRACE, TRACK, PUT, DELETE, and many more. <br/><br/> An application is vulnerable to HTTP Verb tampering if the following conditions hold: <br/> <ul> <li>it uses a security control that lists HTTP verbs</li> <li>the security control fails to block verbs that are not listed</li> <li>it has GET functionality that is not idempotent or will execute with an arbitrary HTTP verb </li> </ul> <br/> For example, Apache with .htaccess is vulnerable if HTTP verbs are specified using the LIMIT keyword:<br/> <pre> <Limit GET> require valid-user </Limit> </pre>
Remediation
  • In the case of Apache + .htaccess, don't use HTTP verb restrictions or use LimitExcept. <br/> Check references for more information on how to fix this problem on other platforms.
References