HTTP Verb Tampering

Vulnerability Details

The application or its access controls respond differently to various HTTP methods, allowing attackers to bypass restrictions by changing the request method.

An attacker could bypass authentication or authorization mechanisms by using alternative HTTP methods such as HEAD, PUT, DELETE, or PATCH to access restricted endpoints.

Implement access controls that apply consistently across all HTTP methods. Explicitly define allowed methods for each endpoint. Return 405 Method Not Allowed for unsupported methods. Avoid method-based security logic.

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering