Input Validation / HTTP Verb Tampering

Web and API

Description

HTTP Verb Tampering is a type of web application vulnerability and is classified as an input validation issue (CWE-20). It is also known as HTTP Smuggling, HTTP Tunneling, and HTTP Method Abuse. This vulnerability occurs when web and API applications fail to properly validate the HTTP request method, allowing attackers to manipulate the request method in an effort to exploit the application. This manipulation can be used to bypass authentication and authorization protocols and access restricted resources. (OWASP Testing Guide)

Risk

This vulnerability can be exploited to gain unauthorized access to sensitive information and resources. Exploiting this vulnerability can lead to data leakage, data corruption, and in some cases, complete system compromise. This vulnerability may also be used to conduct various web application attacks, such as Cross-Site Request Forgery (CSRF). The risk of this vulnerability is high, as it can be used to bypass authentication and authorization protocols.

Solution

The best way to mitigate this vulnerability is to properly validate user input and ensure that the HTTP request method is sanitized and restricted to only the accepted values. Additionally, web and API applications should also be configured to accept only well-formed and expected requests.

Example

The following code example demonstrates how the HTTP request method can be manipulated to bypass authentication and authorization protocols.

POST / HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

PUT /test.php HTTP/1.1
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

In this example, the attacker is manipulating the HTTP request method to bypass authentication and authorization protocols. The attacker is sending a POST request to the web application but is actually trying to access a restricted resource via a PUT request.

Related incidents

  1. In January 2014, the US Department of Energy's Pacific Northwest National Laboratory was the victim of a HTTP Verb Tampering attack that resulted in the exposure of sensitive information.
  2. In October 2018, the US Department of Homeland Security's Transportation Security Administration (TSA) was the victim of a HTTP Verb Tampering attack that allowed attackers to gain unauthorized access to sensitive systems.
  3. In October 2017, the National Security Agency (NSA) was the victim of a HTTP Verb Tampering attack that allowed attackers to access sensitive systems.
  4. In May 2017, the UK National Health Service (NHS) was the victim of a HTTP Verb Tampering attack that allowed attackers to gain unauthorized access to sensitive systems.
  5. In October 2016, the US Department of Defense was the victim of a HTTP Verb Tampering attack that allowed attackers to gain unauthorized access to sensitive systems.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.