CAPEC-274 Detail

CAPEC-274

Name

HTTP Verb Tampering

Typical Severity

Medium

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2019-09-30
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected.

Informations CAPEC

Prerequisites

The targeted system must attempt to filter access based on the HTTP verb used in requests.

Resources Required

The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server.

Mitigations

Design: Ensure that only legitimate HTTP verbs are allowed.
Design: Do not use HTTP verbs as factors in access decisions.

Related Weaknesses

CWE-ID	Weakness Name
CWE-302	Authentication Bypass by Assumed-Immutable Data The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
CWE-654	Reliance on a Single Factor in a Security Decision A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.

References

REF-118

Bypassing Web Authentication and Authorization with HTTP Verb Tampering: How to inadvertently allow attackers full access to your web application
Arshan Dabirsiaghi.
http://mirror.transact.net.au/sourceforge/w/project/wa/waspap/waspap/Core/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2019-09-30 +00:00	Updated Related_Attack_Patterns