In the early days of the internet, you had to type "http://" before entering the web address of a website. Redirects have made our lives easier in that sense, but HTTP (Hypertext Transfer Protocol) still plays an integral part in applications across the web. Since this application-layer protocol for transferring hypermedia documents, such as HTML to render pages, is so common — it’s also a popular attack vector for cybercriminals.

What Are HTTP Verbs?

The HTTP verbs specify how the server should handle data identified by the URL. Often called "HTTP methods," they're called verbs because they are simply actions.

Web servers accept many different HTTP verbs, but some of the most common instances are:

• GET - Returns a representation of a specified resource. Only retrieves data.
• POST - Submits an entity to the specified resource, often causing a change in state or side effects on the server.
• PUT- Writes the request payload to the specified location.
• PATCH - Makes a partial change to an existing resource.
• DELETE - Deletes the resource at the specified location.

GET and POST are traditionally the two most commonly used HTTP verbs. For example, when you want to visit a website like Google, you’re performing a GET HTTP verb, retrieving the data from the website to your device.

Performing a POST HTTP verb often shows up as entering information into a form on a website. You're "posting" new data, or a state change, on the web server.

Links with the standard style trigger a GET request, while forms submitted with the 'POST' method trigger a POST request. In the absence of an HTTP verb, the form sends data via GET by default.

As you can see, there’s not much difficulty in being able to change HTTP verb inputs. Attackers easily perform sensitive functions like DELETE once it's evident that there are vulnerabilities in the HTTP configuration.

How Does HTTP Verb Tampering Work?

HTTP verb tampering attacks take advantage of vulnerabilities in authentication and access control mechanisms of HTTP methods.

The most common HTTP methods allow access with limited security because that’s how the authentication mechanisms were intended. Sites that required authentication originally were deemed secure with only password protection. As the Web got smarter, so did cybercriminals. Because most HTTP verbs are not fully secure, tampering is as simple as manipulating a password-protected area, allowing unauthorized access to restricted resources.

HTTP verb tampering tends to be caused by misconfigured security settings either in the web application or the backend server. An attacker will exploit the vulnerability to bypass authentication and access sensitive data—with the option to manipulate or delete data by simply changing the request method.

Common Attack Scenarios

• Insecure default configurations: Analyze whether any of your endpoints run on out-of-the-box settings and allow the usage of all HTTP verbs by default.
• Storing HTTP verbs in URL strings: Attackers can extract which HTTP verbs are allowed if stored in the URL strings. Ensure that your URLs do not contain HTTP verbs that can allow the URL to be easily manipulated.
• Using hidden fields to store status information: Hidden fields might be great and easy to use at design time, but attackers can easily read those hidden fields by inspecting the web page and then tamper with the information in them.
• Man-in-the-Middle attacks: Two servers are communicating without encryption, which allows an attacker to intercept and monitor traffic and communication.
• Lack of authorization and authentication of API endpoints: API vulnerabilities are commonly caused by inadequate authorization and authentication controls. An attacker can compromise an account protected by a single layer of authentication and abuse a lack of checks to expose information.
• Insecure coding: A web developer often applies specific filters to mitigate particular vulnerabilities within the written code, but leaves the code insecure by not applying those filters to all HTTP verbs.
• HTTP verbs being transferred between the client and the server: An attacker hijacks the message being passed between client and server to tweak the HTTP verb.

How to Combat HTTP Verb Tampering Vulnerabilities

There are a few actions you should take immediately to prevent HTTP verb tampering.

• Check Configurations: Make sure your code is not set to "allow all" in your security configurations. Failure to do so means attackers can use alternative HTTP verbs like HEAD or arbitrary character strings in their requests to gain access.
• Test: Penetration testing (or pen testing) involves simulating attack scenarios on your HTTP verbs to look for vulnerabilities that could lead to HTTP verb tampering before they're exploited. If you're regularly conducting pen tests, checking for problems like modified data or request smuggling will help prevent any issues from happening later. Be sure to include not only whether or not they're accessible, but what may happen once access has been granted.
• Automate the process: Automation saves time and resources all around. Automating your pen-testing means more quality analysis in finding potential vulnerabilities and preventing them before they happen.

APIsec is the only automated API security testing solution that covers both vulnerability scanning and pen testing.

APIsec provides ten times the coverage of manual pen testing at one-tenth the cost. APIsec doesn’t stop there, though.

When vulnerabilities are uncovered, APIsec automatically provides a detailed description of the attack playbook used, giving you an actual "recording" or wire logs of the successful attack and remediation recommendations. Engineers never have to waste time investigating issues; instead, they can focus on remediation of the underlying problem.

Schedule a demo today to see how APIsec can automate API security testing for your organization.

‍