HTTP Verb Tampering
Overview
HTTP verb tampering is an attack that exploits vulnerabilities in applications or servers that do not properly validate the verb (also known as the method) of HTTP requests. This can lead to authentication and access control bypass attacks. For example, some applications perform user authentication only for HTTP requests that use common HTTP methods / verbs such as POST and GET. It is therefore common to bypass this authentication by submitting such requests using a different HTTP method / verb type, therefore exploiting a vulnerability by means of HTTP verb tampering.
HTTP verb tampering vulnerabilities are covered by CWE-650 and CAPEC-274.
The HTTP Verb Tampering security feature is enabled using the ARMR http rule. When this security feature is enabled the agent monitors all HTTP requests that target the HTTP endpoints defined in the ARMR http rule and validates the HTTP request method according to the validation policy of the rule.
Given (Condition)
To enable the HTTP Verb Tampering security feature using the ARMR http rule the user specifies the request declaration.
| request | This determines the HTTP endpoints for which protection is enabled. An optional key value pair can be supplied to this declaration where the key is paths and the value can be one of the following (indicating specifically targeted HTTP endpoints) :-- a quoted string |
-
a list of one or more quoted-stringsIf no value is specified then protection will be applied to all HTTP endpoints by default.If a string value is specified then it must:- not be empty
-
be a valid relative URI |
When (Event)
| validate | To enable HTTP verb tampering protection the user must provide the method parameter to this declaration.In addition, the key-value pair with key is must also be defined. | |
| method | The method key signifies that HTTP verb (method) tampering protection is in use | |
| is | The is key indicates the permitted values of HTTP verbs for a given request.Possible values for the is key are:- GET |
-
POST -
HEAD -
PUT -
DELETE -
CONNECT -
OPTIONS -
TRACE -
PATCH|
Then (Action)
| protect | Processing of an HTTP request that fails method validation is stopped and the HTTP response returned is empty.If configured, a log message is generated with details of the event. |
| detect | Monitoring mode: the application behaves as normal.A log message is generated with details of the HTTP request target that fails validation.A log message must be specified with this action. |
| allow | Can be used to allow HTTP requests of particular method types for specific HTTP endpoints while a more generic ARMR http rule, in protect mode say, disallows the same method types for a larger set of HTTP endpoints. |
Examples
The following ARMR http rule switches on the HTTP Verb Tampering security feature to protect against HTTP/HTTPS requests that use an unexpected value for the HTTP verb (method). The verb tampering validation ensures that the HTTP method used for all requests is one of GET or POST.
app("HTTP Verb Tampering mod"):
requires(version: ARMR/2.7)
http("HTTP method tampering protection, all HTTP endpoints"):
request()
validate(method, is: [GET, POST])
protect(message: "HTTP method/verb is not GET or POST", severity: Very-High)
endhttp
endapp
A log entry similar to the following is generated when the above ARMR http rule identifies an unexpected value for the HTTP request method:
Logging
<9>1 2021-03-30T17:43:54.538+01:00 userX_system java 32008 - - CEF:0|ARMR:ARMR|ARMR|2.7|HTTP method tampering protection, all HTTP endpoints|Execute Rule|Very-High|rt=Mar 30 2021 17:43:54.537 +0100 dvchost=userX_system procid=32008 appVersion=1 ruleType=http securityFeature=http input validation act=protect msg=HTTP method/verb is not GET or POST validationRule=OneOf:[GET, POST] value=DELETE httpRequestUri=/webapp/index.jsp httpRequestMethod=GET internalHttpRequestUri=/webapp/index.jsp remoteIpAddress=127.0.0.1 httpSessionId=3153E581A645E2A54D3C12D3928473BC httpCookies=JSESSIONID\=3153E581A645E2A54D3C12D3928473BC
Further Examples
The following mod ensures the HTTP method is one of GET, POST, PUT or DELETE. This applies to the “index.jsp” page of the application only.
app("HTTP Verb Tampering mod 2"):
requires(version: ARMR/2.7)
http("HTTP method tampering protection, specific HTTP endpoint"):
request(paths: "/webapp/index.jsp")
validate(method, is: [GET, POST, PUT, DELETE])
protect(message: "HTTP method/verb is not valid for index.jsp", severity: 8)
endhttp
endapp
The following mod will detect requests where the HTTP method is neither GET nor POST. This applies to the two pages of the application “testPageA.jsp“ and “testPageB.jsp“.
app("HTTP Verb Tampering mod 3"):
requires(version: ARMR/2.7)
http("HTTP method tampering protection, multiple HTTP endpoints"):
request(paths: ["/webapp/testPageA.jsp", "/webapp/testPageB.jsp"])
validate(method, is: [GET, POST])
detect(message: "HTTP method/verb is not GET or POST for either test page", severity: Very-High)
endhttp
endapp
Logging On/Off Example
The following mod ensures the HTTP method must be GET. Logging is switched ON. As the message attribute is defined as an empty string (""), a default message will be included in the security event msg extension.
app("HTTP Verb Tampering mod"):
requires(version: ARMR/2.7)
http("HTTP method tampering protection, all HTTP endpoints. Requests must be GET. Logging ON"):
request()
validate(method, is: [GET])
protect(message: "", severity: High)
endhttp
endapp
The following mod ensures the HTTP method must be GET. Logging is switched OFF by the omission of the action message attribute.
app("HTTP Verb Tampering mod"):
requires(version: ARMR/2.7)
http("HTTP method tampering protection, all HTTP endpoints. Requests must be GET. Logging OFF"):
request()
validate(method, is: [GET])
protect(severity: High)
endhttp
endapp