HTTP Verb Tampering is an attack that takes advantage of common HTTP Verbs (GET, POST and HEAD), these are
also known as HTTP methods. A web application accepts data using one of the three html verbs and processes
this information accordingly. Unless restricted the web application will accept data from any HTTP Verb. If
the application does not expect the POST method then the application may not be able to handle the incoming
data and function incorrectly.
If an attacker uses a HTTP Verb that the web server does not recognize then again invalid information may
be taken by the web server and undesired results can be inputted or retrieved from the web application. In
a lot of cases HTTP Verb Tampering can allow a user to gain access to restricted areas.
WebSafe will test for HTTP Verb Tampering:
Firstly WebSafe can test URL’s to find out which HTTP Verbs are allowed. Using this knowledge our tests
consist of trying to manipulate data issued to the server either by standard (GET, HEAD, POST) verbs or
custom verbs. The best prevention is to accept a particular verb only and validate accordingly.