CAPEC-274

HTTP Verb Tampering
Medio
Draft
2014-06-23
00h00 +00:00
2019-09-30
00h00 +00:00
CAPEC Mitre.org
Alerta para un CAPEC
Manténgase informado sobre cualquier cambio en un CAPEC específico.
Gestionar notificaciones

Descripciones CAPEC

An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected.

Informaciones CAPEC

Prerrequisitos

The targeted system must attempt to filter access based on the HTTP verb used in requests.

Recursos requeridos

The attacker requires a tool that allows them to manually control the HTTP verb used to send messages to the targeted server.

Mitigaciones

Design: Ensure that only legitimate HTTP verbs are allowed.
Design: Do not use HTTP verbs as factors in access decisions.

Debilidades relacionadas

CWE-ID Nombre de la debilidad

CWE-302

 Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

CWE-654

 Reliance on a Single Factor in a Security Decision
A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.

Referencias

REF-118

Bypassing Web Authentication and Authorization with HTTP Verb Tampering: How to inadvertently allow attackers full access to your web application
Arshan Dabirsiaghi.
http://mirror.transact.net.au/sourceforge/w/project/wa/waspap/waspap/Core/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf

Envío

Nombre Organización Fecha Fecha de lanzamiento
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modificaciones

Nombre Organización Fecha Comentario
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Related_Attack_Patterns
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.