HTTP Verb Tampering

medium Web App Scanning Plugin ID 113211

Language:

Synopsis

HTTP Verb Tampering

Description

HTTP Verb Tampering is an attack that bypasses an authentication or control system that is based on the HTTP Verb. Sometimes, Web Server authentication mechanisms use verb-based authentication with access controls. Such security mechanisms include access control rules for requests with specific HTTP methods. Due to the HTTP specification that includes request methods other than the standard GET and POST requests, a standards compliant web server may respond to these alternative methods in ways not anticipated by developers. So if an application restricts only GET requests it might still be possible to access the page using a POST, PUT, PATCH or other method.

Solution

Block all HTTP verb instead of using a blocklist of HTTP verbs.

See Also

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering

Plugin Details

Severity: Medium

ID: 113211

Type: remote

Family: Web Applications

Published: 3/31/2022

Updated: 11/10/2022

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Vulnerability Information

Exploit Ease: Exploits are available

Reference Information

CWE: 287

OWASP: 2010-A3, 2013-A2, 2017-A2, 2021-A7

WASC: Insufficient Authentication

CAPEC: 114, 115, 151, 194, 22, 57, 593, 633, 650, 94

DISA STIG: APSC-DV-000460

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API7, 2023-API8

PCI-DSS: 3.2-6.5.10