Detections
Analytics
HTTP Verb Tampering
medium Web App Scanning Plugin ID 113211
Language:
Synopsis
HTTP Verb TamperingDescription
HTTP Verb Tampering is an attack that bypasses an authentication or control system that is based on the HTTP Verb. Sometimes, Web Server authentication mechanisms use verb-based authentication with access controls. Such security mechanisms include access control rules for requests with specific HTTP methods. Due to the HTTP specification that includes request methods other than the standard GET and POST requests, a standards compliant web server may respond to these alternative methods in ways not anticipated by developers. So if an application restricts only GET requests it might still be possible to access the page using a POST, PUT, PATCH or other method.Solution
Block all HTTP verb instead of using a blocklist of HTTP verbs.See Also
Plugin Details
Severity: Medium
ID: 113211
Type: remote
Family: Web Applications
Published: 3/31/2022
Updated: 6/10/2024
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 2.9
CVSS v2
Risk Factor: Medium
Base Score: 4
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Medium
Base Score: 4.3
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score Source: Tenable
CVSS v4
Risk Factor: Medium
Base Score: 6.9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: Tenable
Vulnerability Information
Exploit Ease: Exploits are available
Reference Information
CWE: 287
OWASP: 2010-A3, 2013-A2, 2017-A2, 2021-A7
WASC: Insufficient Authentication
CAPEC: 114, 115, 151, 194, 22, 57, 593, 633, 650, 94
DISA STIG: APSC-DV-000460
HIPAA: 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3
OWASP API: 2019-API7, 2023-API8
PCI-DSS: 3.2-6.5.10