While this is really nothing that new, it has recently resurfaced with some interesting uses. Aspect Security has published a white paper “Bypassing Web Authentication and Authorization with HTTP Verb Tampering” that has brought this all to light.
In the past, I would usually use verb tampering for your XSS or SQLi attacks. Authorization bypass really never crossed my mind, this prompted me read up a bit. After some reading, It was kind of a “hit my head” type of moment. I highly recommend reading the white paper but here is a high level overview as I see it.
Verb Tampering for authorization bypass can be as simple as substituting a GET with a HEAD. For example:
In Java EE you can restrict access to a location with web.xml.
<security-constraint> <web-resource-collection> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
This restricts access to /admin and the listed http-methods. The thing that is not mentioned if you actually change the verb to something different such as HEAD, it will actually allow you access. You can easily do this with Webscarab by intercepting the request.
Many people think by explicitly stating what methods to block that it won’t allow the others , when in fact if they did not state any methods it would block all. The methods that are listed are the only ones that are protected. Funny side note: I was actually looking at BEA docs for something totally unrelated and I happen to see their recommendation on how to secure folders with web.xml, and their way was vulnerable to the HEAD attack.
Another interesting find is the use of arbitrary verbs. In php and java this is allowed which means that we can throw it a verb that does not even exist. The application will then take the request and then convert it to a GET. This also bypasses the security restrictions.