search

HTTP Verb Tampering

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
HTTP Tampering Bypassing Access Denied

1

Navigate to the target application in a browser.

2

Identify a functionality that is restricted to authenticated users (e.g., user deletion, admin actions).

3

Log out or ensure you are not authenticated.

4

Intercept a legitimate restricted request (e.g., a POST or DELETE request) using a proxy tool such as Burp Suite.

5

Observe that the original request uses a restricted HTTP method, for example

POST /admin/deleteUser HTTP/1.1
Host: target.com
6

Send the original request without authentication and confirm that access is denied

7

Modify the HTTP method to an alternative method such as GET or PUT

GET /admin/deleteUser HTTP/1.1
Host: target.com
8

Send the modified request using Burp Suite Repeater

9

Observe the server response

10

If the server processes the request successfully and performs the restricted action without authentication, confirm that authentication bypass is achieved via HTTP method manipulation

hashtag
Admin Emails & Passwords Exposed via HTTP Method Change

1

Navigate to the target application

2

Access the Email section of the platform

3

Interact with the Reply feature to trigger a request

4

Intercept the outgoing request using a proxy tool (Burp Suite)

5

Observe that the request is sent to an API endpoint using the POST method

POST /index.php/api/rest/latest/windows HTTP/1.1
6

Send the intercepted POST request to Burp Repeater

7

Replay the original POST request

8

Confirm that the server responds and returns a JSON response similar to

HTTP/1.1 201 Created
Host: example.com
Cookie: ...
.. ..

{"id":1}
9

Modify the HTTP method of the same request from POST to GET

10

Send the modified GET request to the same endpoint

11

Observe the server response and Confirm that the server returns a full list of registered users ,Verify that the response contains sensitive data such as ( User IDs, Email addresses, Password hashes (or plaintext passwords)

12

Confirm that this data is accessible without proper authorization checks

hashtag
Improper PATCH Method Handling for Unauthorized User Data Modification

1

Navigate to the target application and authenticate as a regular user (non-admin)

2

Identify user-related API endpoints by (Reviewing JavaScript files or Inspecting network traffic in the browser Developer Tools, Enumerating hidden or undocumented paths)

3

Locate an endpoint responsible for updating user data (profile update)

4

Attempt to access or modify another user’s data using common HTTP methods such as

PUT /api/users/{user_id}
POST /api/users/{user_id}

Confirm that the server responds with

403 Forbidden
5

Modify the HTTP method to PATCH

PATCH /api/users/{user_id}
6

Keep the same authenticated session of the regular user

7

Craft a JSON request body containing modified user data, for example

{
  "email": "attacker@evil.com"
}
8

Send the PATCH request using a proxy tool (e.g., Burp Suite Repeater)

9

Observe the server response and Confirm that the server responds with a success status (200 OK) instead of 403 Forbidden

10

Verify that the targeted user’s data has been modified successfully

hashtag
White Box

hashtag
Cheat Sheet

PreviousStored Cross Site ScriptingNextHTTP Parameter Pollution

Last updated