What is HTTP verb tampering and How to Exploit it?

Rahulkrishnan R Panicker
2 min readOct 30, 2023

--

Http

HTTP Verb

Did you have seen GET , POST, PUT etc request in http burp or inspector in the browser these kind of request are known as http verb. These

set of request methods to indicate the desired action to be performed for a given resource.

Retrieve a single item (GET)
Retrieve a list of items (GET)
Create an item (POST)
Update an item (PUT)
Delete an item (DELETE)

HTTP Verb Tampering

The so-called "verb tampering" is simply the operation of changing GET to POST, or POST to GET, or either one to HEAD, or to PUT/PATCH/whatever, and possibly moving parameters from query string to body or vice versa. The reason it works as an attack is that sometimes this lets you skip validation or escaping logic while still hitting a path vulnerable to injection attacks.

How can use HTTP Tampering as a Pentester?

HTTP verb tampering is generally used in conjunction with syntactic (XSS, SQLi, etc.) and semantic (bypass authentication/authorization controls) attacks as way to bypass certain defense measures. Arshan’s work on implementation details focus on the semantic version.

How it works?

The attack is really simple, and like many vulnerabilities, is the sort of thing it seems crazy anybody would get wrong... but people do.

Assum a web application accept input in the path /user-input and it is implemented as POST request

there was a risk of XSS or similar, so they wanted to add a security check to the endpoint. They added a POST request handler which runs before the main logic for the path. This POST request handler takes the request body and performs input validation, ensuring that there’s nothing in there that could cause XSS (or any other injection attacks, such as SQLi, command injection, LDAP injection, etc.). Fine, so long as you only send requests to the page using POST.

But if you use GET to transfer input the validation will fail and you will get some injection based bugs

Refferences:

https://blog.jeremiahgrossman.com/2008/06/what-you-need-to-know-about-http-verb.html

https://www.sans.org/blog/http-verb-tampering-in-asp-net/

--

--