HTTP Verb Tampering

Here I have a static web page. I viewed the source and there aren’t any comments, Javascript, forms, or other exploitable features on the page.

I ran Dirbuster to discover additional unlinked content and found the directory /admin.

The Burp Suite Pro proxy history shows that the page is using Basic authentication.

I attempted to brute force the login but the password wasn’t found. Next I used Nmap to test for HTTP verb tampering.

Next I went back to Burp Suite, intercepted the request and changed the GET verb to GGG and was able to bypass authentication and retrieve the challenge password.

The GET method is one of many HTTP verbs, including POST GET PUT DELETE SPACEJUMP DEBUG OPTIONS TRACE CONNECT PROPFIND LOCK UNLOCK PROPPATCH MKCOL COPY MOVE.
Here is a sample .htaccess file in which the author only limited the GET verb, which I was able to easily bypass.
AuthName “restrict access”

AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
< Limit GET POST >
require group staff
< /Limit >

Additionally you could put all HTTP verbs in the file:
AuthName “restrict all methods”

AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
< Limit > POST GET PUT DELETE SPACEJUMP DEBUG OPTIONS TRACE CONNECT PROPFIND LOCK UNLOCK PROPPATCH MKCOL COPY MOVE>
require group staff
< /Limit >

However, you noticed that I was able to use Burp to tamper with the request and the server treated the unknown “GGG” as a GET request and allowed me to bypass authentication.
A safe alternative to prevent verb tampering is to remove all method limits which would require authentication for any methods which would catch anything you throw at it.
AuthName “restrict all methods except”

AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
require group staff

(Visited 225 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *