HTTP Verb Tampering Demo/Example/Tutorial
What is HTTP Verb?
- List of some basic HTTP Verb or Methods
What is HTTP Verb Tampering?
It's a method to bypass a defense technique by tampering the verb. Some secret directories have restricted access by basic authentication. This directories are protected by the .htaccess file which can be easily exploited. This attack is a result of a Apache htaccess file misconfiguration .
An administrator, limits the access to the private resource or directory just via POST request method. See the vulnerable code below.
Here AuthUserFile is the directory to the .htpasswd file which contains the username & password in encrypted format.
require valid-user
It just limits the POST method & matches the credentials that saved in htpasswd file, if wrong error page shows up.
Here the administrator has limited POST method, but also not blacklisted other methods?. This means any requests via other method would lead the attacker having access to the protected private resources or directory. Below i have provided a video DEMO of successful exploitation of an HTTP Verb tampering vulnerability via Live HTTP Headers ( Firefox add-on) on AT&T sub domain (Reported & Fixed). In the next post i will be showing you various ways to fix or apply a patch to this vulnerability .
- According to Wiki "The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web.
- Verb is nothing but HTTP methods used to indicate the desired action to be performed on the identified resource.
- List of some basic HTTP Verb or Methods
- OPTIONS
- GET
- HEAD
- POST
- PUT
- DELETE
- TRACE
- CONNECT
What is HTTP Verb Tampering?
It's a method to bypass a defense technique by tampering the verb. Some secret directories have restricted access by basic authentication. This directories are protected by the .htaccess file which can be easily exploited. This attack is a result of a Apache htaccess file misconfiguration .
An administrator, limits the access to the private resource or directory just via POST request method. See the vulnerable code below.
Here AuthUserFile is the directory to the .htpasswd file which contains the username & password in encrypted format.
require valid-user
It just limits the POST method & matches the credentials that saved in htpasswd file, if wrong error page shows up.
Here the administrator has limited POST method, but also not blacklisted other methods?. This means any requests via other method would lead the attacker having access to the protected private resources or directory. Below i have provided a video DEMO of successful exploitation of an HTTP Verb tampering vulnerability via Live HTTP Headers ( Firefox add-on) on AT&T sub domain (Reported & Fixed). In the next post i will be showing you various ways to fix or apply a patch to this vulnerability .
