HTTP Verb Tampering

Most of the web attacks are because of the exploitation of insecure configuration. HTTP protocol works by using different verbs such as get, post. However, because of misconfiguration of backend side, users can use the other verbs.

HTTP protocol accept 9 types of verbs. These verbs are:

• HEAD : Similar to GET request, but its response only contains headers. It does not contain response body.
• PUT : Writes the request payload to the specific location.
• DELETE : Deletes the resource at the specified location.
• OPTIONS : Shows different options accepted by a web server, like accepted HTTP verbs.
• PATH : Apply partial modifications to the resource at the specified location.

If there is a missing configuration about those verbs, we can gain control over backend side by using them.

GET and HEAD are similar, so we can use HEAD to manipulate our HTTP requests.Most of the time, GET, POST, OPTIONS and HEAD are not prohibited. We can use the following curl command to make http requests.

curl -i -X OPTIONS http://SERVER_IP:PORT/