Conditions préalables
The targeted system must attempt to filter access based on the HTTP verb used in requests.
Ressources nécessaires
The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server.
Atténuations
Design: Ensure that only legitimate HTTP verbs are allowed.
Design: Do not use HTTP verbs as factors in access decisions.
Faiblesses connexes
CWE-ID |
Nom de la faiblesse |
|
Authentication Bypass by Assumed-Immutable Data The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker. |
|
Reliance on a Single Factor in a Security Decision A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. |
Références
REF-118
Bypassing Web Authentication and Authorization with HTTP Verb Tampering: How to inadvertently allow attackers full access to your web application
Arshan Dabirsiaghi.
http://mirror.transact.net.au/sourceforge/w/project/wa/waspap/waspap/Core/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf
Soumission
Nom |
Organisation |
Date |
Date de publication |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
|
Modifications
Nom |
Organisation |
Date |
Commentaire |
CAPEC Content Team |
The MITRE Corporation |
2019-09-30 +00:00 |
Updated Related_Attack_Patterns |