HTTP Verb Tampering

medium Web Application Scanning Plugin ID 113211



HTTP Verb Tampering


HTTP Verb Tampering is an attack that bypasses an authentication or control system that is based on the HTTP Verb. Sometimes, Web Server authentication mechanisms use verb-based authentication with access controls. Such security mechanisms include access control rules for requests with specific HTTP methods. Due to the HTTP specification that includes request methods other than the standard GET and POST requests, a standards compliant web server may respond to these alternative methods in ways not anticipated by developers. So if an application restricts only GET requests it might still be possible to access the page using a POST, PUT, PATCH or other method.


Block all HTTP verb instead of using a blocklist of HTTP verbs.

See Also

Plugin Details

Severity: Medium

ID: 113211

Type: remote

Published: 3/31/2022

Updated: 3/31/2022

Scan Template: pci, api, scan

Risk Information


Risk Factor: Low

Score: 2.9


Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: Tenable


Risk Factor: Medium

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Vulnerability Information

Exploit Ease: Exploits are available

Reference Information