- Exploiting HTTP Verb Tampering vulnerabilities is usually a relatively straightforward process - we just need to try alternate HTTP methods to see how they are handled by the web server and the web application - While many automated vuln scanning tools can consistently identify HTTP Verb Tampering vulnerabilities caused by insecure server configurations, they usually miss identifying HTTP Tampering vulnerabilities caused by insecure coding # Identify - `/admin/reset.php` is gated by an HTTP basic authentication prompt ![[images/Pasted image 20260107195612.png]] - determine whether its only this page or the entire `/admin` directory # Exploit - view GET request in burp and right click to change request method ![[images/Pasted image 20260107195603.png]] - Looks like both GET and POST requests are authentication gated - To see whether the server accepts `HEAD` requests, we can send an `OPTIONS` request to it and see what HTTP methods are accepted, as follows ```bash curl -i -X OPTIONS http://SERVER_IP:PORT/ ``` - We can see that POST, OPTIONS, HEAD, and GET requests are allowed - When we change to a HEAD request we notice that we are no longer authentication gated # Exercise - `ping` test ![[images/Pasted image 20260107201307.png]] - `nmap` scan ![[images/Pasted image 20260107201344.png]] - visit page ![[images/Pasted image 20260107201327.png]] - source code ![[images/Pasted image 20260107201335.png]] - reset to delete files - we get a login prompt ![[images/Pasted image 20260107201213.png]] - GET request directed to `/admin/reset.php?` ![[images/Pasted image 20260107201258.png]] - determine which methods are allowed - no info ![[images/Pasted image 20260107202044.png]] - send to `repeater` and try various methods - POST gives same error as GET - PATH and OPTIONS give 200 OKs - refresh page and view ![[images/Pasted image 20260107202941.png]]