Verb Tampering¶
Overview¶
Many web environments allow verb-based authentication and access control (VBAAC). The rules for the security controls involve using the HTTP verb (POST, GET, etc) as part of this decision.
Unfortunately, some implementations work in an unexpected and insecure way. They deny methods not specified in the VBAAC rules, but allow ANY method that isn't listed.
APIs should only accept the verbs that are specified in their specification, while rejecting all other verbs with a 405 Method Not Allowed.
Recommendation¶
Ensure that only the required methods are allowed, and that the allowed methods are properly configured and specified in your specification.
Ensure that no workarounds are implemented to bypass security measures implemented by user-agents, frameworks, or web servers.
Examples¶
This is a common mistake in JAVA EE web XML files. For example:
```xml
<security-constraint>
<web-resource-collection>
<url-pattern>/secret/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
```
These rules will block `GET` and `POST` requests to the `/secret/*` endpoints
for non-`administrator` users. Any other verbs (from any other role) will still
be allowed!
In this case, you should remove all `<http-method>` elements altogether from
`web.xml` so that constraints apply to all requests. If access to a single method
is still required, you should combine a 'deny all' constraint with a method-specific
constraint.
```xml
<security-constraint>
<web-resource-collection>
<web-resource-name>site</web-resource-name>
<http-method>GET</http-method>
</web-resource-collection>
...
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>site</web-resource-name>
<url-pattern>/secret/*</url-pattern>
</web-resource-collection>
...
</security-constraint>
```
References¶
- OWASP: Security Misconfiguration.
- Common Weakness Enumeration: CWE-16.
- Bypassing VBAAC with HTTP Verb Tampering