TLDR Key Takeaways
In the early days of the internet, you had to type "http://" before entering the web address of a website. Redirects have made our lives easier in that sense, but HTTP (Hypertext Transfer Protocol) still plays an integral part in applications across the web. Since this application-layer protocol for transferring hypermedia documents, such as HTML to render pages, is so common — it’s also a popular attack vector for cybercriminals.
The HTTP verbs specify how the server should handle data identified by the URL. Often called "HTTP methods," they're called verbs because they are simply actions.
Web servers accept many different HTTP verbs, but some of the most common instances are:
GET and POST are traditionally the two most commonly used HTTP verbs. For example, when you want to visit a website like Google, you’re performing a GET HTTP verb, retrieving the data from the website to your device.
Performing a POST HTTP verb often shows up as entering information into a form on a website. You're "posting" new data, or a state change, on the web server.
Links with the standard style trigger a GET request, while forms submitted with the 'POST' method trigger a POST request. In the absence of an HTTP verb, the form sends data via GET by default.
As you can see, there’s not much difficulty in being able to change HTTP verb inputs. Attackers easily perform sensitive functions like DELETE once it's evident that there are vulnerabilities in the HTTP configuration.
HTTP verb tampering attacks take advantage of vulnerabilities in authentication and access control mechanisms of HTTP methods.
The most common HTTP methods allow access with limited security because that’s how the authentication mechanisms were intended. Sites that required authentication originally were deemed secure with only password protection. As the Web got smarter, so did cybercriminals. Because most HTTP verbs are not fully secure, tampering is as simple as manipulating a password-protected area, allowing unauthorized access to restricted resources.
HTTP verb tampering tends to be caused by misconfigured security settings either in the web application or the backend server. An attacker will exploit the vulnerability to bypass authentication and access sensitive data—with the option to manipulate or delete data by simply changing the request method.
There are a few actions you should take immediately to prevent HTTP verb tampering.
APIsec is the only automated API security testing solution that covers both vulnerability scanning and pen testing.
APIsec provides ten times the coverage of manual pen testing at one-tenth the cost. APIsec doesn’t stop there, though.
When vulnerabilities are uncovered, APIsec automatically provides a detailed description of the attack playbook used, giving you an actual "recording" or wire logs of the successful attack and remediation recommendations. Engineers never have to waste time investigating issues; instead, they can focus on remediation of the underlying problem.
Schedule a demo today to see how APIsec can automate API security testing for your organization.