Test HTTP Methods
OWASP
OWASP Web Security Testing Guide 4.2 > 2. Configuration and Deploy Management Testing> 2.6. Test HTTP Methods
ID | Link to Hackinglife | Link to OWASP | Description |
---|---|---|---|
2.6 | WSTG-CONF-06 | Test HTTP Methods | - Enumerate supported HTTP methods using OPTIONS. - Test for access control bypass (GET->HEAD->FOO). - Test HTTP method overriding techniques. |
HTTP method tampering, also known as HTTP verb tampering, is a type of security vulnerability that can be exploited in web applications. HTTP method tampering occurs when an attacker modifies the HTTP method being used in a request to trick the web application into performing unintended actions.
Test Objectives
- Enumerate supported HTTP methods.
- Test for access control bypass.
- Test HTTP method overriding techniques.
Enumerate with OPTIONS:
Test access control bypass with a made-up method:
Or test access control bypass with other methods.
PUT
After enumerating methods with Burpsuite:
We obtained as response:
HTTP/1.1 200 OK
Date: ....
....
Allow: OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PROPPATCH,COPY,MOVE,LOCK
Then, we can try to upload a file by using Burpsuite. Typical payload:
Try to upload a file by using curl. Typical payload:
curl https://example.org --upload-file test.html
curl -X PUT https://example.org/test.html -d "<script>alert(1)</script>"
DELETE
Try to delete a file by using Burpsuite. Typical payload:
Try to delete a file by using curl. Typical payload:
TRACE
The TRACE
method (or Microsoft’s equivalent TRACK
method) causes the server to echo back the contents of the request. This led to a vulnerability called Cross-Site Tracing (XST), which could be used to access cookies that had the HttpOnly
flag set. The TRACE
method has been blocked in all browsers and plugins for many years; as such, this issue is no longer exploitable. However, it may still be flagged by automated scanning tools, and the TRACE
method being enabled on a web server suggests that is has not been properly hardened.
CONNECT
The CONNECT
method causes the web server to open a TCP connection to another system, and then pass traffic from the client to that system. This could allow an attacker to proxy traffic through the server, in order to hide their source address, access internal systems or access services that are bound to localhost. An example of a CONNECT
request is shown below:
Testing for Access Control Bypass
If a page on the application redirects users to a login page with a 302 code when they attempt to access it directly, it may be possible to bypass this by making a request with a different HTTP method, such as HEAD
, POST
or even a made up method such as FOO
. If the web application responds with a HTTP/1.1 200 OK
rather than the expected HTTP/1.1 302 Found
, it may then be possible to bypass the authentication or authorization.
Testing for HTTP Method Overriding
Some web frameworks provide a way to override the actual HTTP method in the request. They achieve this by emulating the missing HTTP verbs and passing some custom headers in the requests. For example:
X-HTTP-Method
X-HTTP-Method-Override
X-Method-Override
To test this, consider scenarios where restricted verbs like PUT
or DELETE
return a 405 Method not allowed
. In such cases, replay the same request, but add the alternative headers for HTTP method overriding.